PHP :: Bug #32944 :: Disabling session.use_cookies doesn't prevent reading session cookies

 [2005-05-04 17:04 UTC] dziugas at gmail dot com

Description:
------------
If configuration directive session.use_cookies is set to 0 (or Off), cookies aren't sent to the browser anymore, but however if browser sends a previously received cookie within a request, PHP tries to use it for session id.
This is the problem in WAP deployments where number of mobile phone browsers sends a Cookie in the form of:
Cookie: PHPSESSID="xxx, PHPSESSID=xxx" (as denoted in http://bugs.php.net/bug.php?id=32111)
This makes PHP to produce a warning:
PHP Warning:  Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0
Reproduce code:
---------------
session_set_cookie_params(3600);
session_start();
var_dump(session_id());
Add
ini_set('session.use_cookies', true);
in the first request and 
ini_set('session.use_cookies', false);
in the secodn.
Expected result:
----------------
After the second request, session ID (as returned by session_id()) should not be same as after the first request.
Actual result:
--------------
The value returned by session_id() is the same within the first and second requests.
I think that session.use_cookies is disabled, there should be no checking if the browser sends the cookie having the same name as session_name().

 [2005-05-20 12:28 UTC] tony2001@php.net

This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.