Reputation: 384
PHP session_write_close() keeps sending a set-cookie header
In my framework, I make a number of calls to session_write_close().
Let's assume that a session has been initiated with a user agent. The following code...
foreach($i = 0; $i < 3; $i++) {
session_start();
session_write_close();
}
...will send the following request header to the browser:
Set-Cookie PHPSESSID=bv4d0n31vj2otb8mjtr59ln322; path=/
PHPSESSID=bv4d0n31vj2otb8mjtr59ln322; path=/
There should be no Set-Cookie header because, as I stipulated, the session cookie has already been created on the user's end. But every call to session_write_close() after the first one in the script above will result in PHP instructing the browser to set the current session again.
This is not breaking my app or anything, but it is annoying. Does anyone have any insight into preventing PHP from re-setting the cookie with each subsequent call to session_write_close?
EDIT
The problem seems to be that with every subsequent call to session_start(), PHP re-sets the session cookie to its own SID and sends a Set-Cookie response header. But why??
Upvotes: 3
Views: 3254
Answers (3)
Reputation: 7663
Almost every answer I found on SO says to just do a session_write_close() and session_start() over and over again...some even disable cookies with ini_set temporarily...this seems to be a very bad approach. The PHP authors provided a very clear, best-practice, path to injecting your own way of handling the sessions using session_set_save_handler.
I have created an example on another post that shows how you can replace your session_start() with Session::start() and replace session_write_close() with Session::save(). The class is a non-blocking (a user can have concurrent requests) class implemented for PHP 5.4+. In fact, it's just a tweaked version of PHP's example class.
While my example is PHP 5.4+, the same method works in older versions of PHP with callback methods instead of an interface implementation.
https://stackoverflow.com/a/27993746/482256
Upvotes: 2
Reputation: 1173
PHP does not recommend doing so, and there were bunch of bugs submitted for this. Since they think it's not a good practice - this is the bug that is not going to be fixed.
Upvotes: 3
Reputation: 3565
session_write_close just close session and write data
while session_start send cookies
if your don`t want send session cookie your mustn't call session_start
Upvotes: 1
Related Questions
- PHP - Session destroy after closing browser
- Prevent php session_start() to send a cookie
- php session and cookies destroy
- Session cookie is reset to default at the end of the script
- php httponly cookies being deleted on browser close
- session destroy cookies on log out
- PHP Save Session when using session_write_close();
- php session cookie too persistent
- PHP Session Cookie Not Being Cleared On Browser Close
- Cookie being destroyed when browser quits