session_starts sends duplicate Set-Cookie

[kamil-tekiela]

Description

The following code:

<?php

session_id('mysessionid');

session_start();
session_write_close();
session_start();

Resulted in this output:

HTTP/1.1 200 OK
Date: Mon, 19 May 2025 15:51:57 GMT
Server: Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.4.0
Set-Cookie: PHPSESSID=mysessionid; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=mysessionid; path=/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

But I expected this output instead:

HTTP/1.1 200 OK
Date: Mon, 19 May 2025 15:51:57 GMT
Server: Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.4.0

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=mysessionid; path=/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

I tried with output buffering on and off. If I remove session_id() I cannot reproduce it again, but I only used it to create a reproducible example, as in the real project, it's sending duplicate headers even without it.

PHP Version

PHP 8.4 and Apache 2.4.62

> Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev

Operating System

Windows 10

[kamil-tekiela]

Putting ini_set('session.use_cookies', 'false'); before the second session_start helps but it shouldn't be required. This becomes evident when you execute the script 2 times. The second time there should be 0 Set-Cookie but I still see 2 without this line and 0 with this line.

[kkmuffme]

See #18169

[kamil-tekiela]

I don't know about setcookie() but as I understand session_start() already has this feature build in. It just doesn't seem to work properly.

[NattyNarwhal]

I haven't tried Windows, but I've tried to reproduce this on macOS at least w/ CLI/CGI and can't get the duplicate header.

My understanding reading it, it initializes the session, calls reset_id, calls send_cookies, calls remove_cookie (which is looking for that specific Set-Cookie: PHPSESSID instance, then munging the header linked list directly, because the SAPI APIs don't have a way to remove a specific one), then appends the new one. That seems to work correctly (it removes the stale Set-Cookie: PHPSESSID, then appends the new one).

That said, I think I might clean up this session/SAPI header code anyways, because it is pretty ugly.

[Girgias]

@NattyNarwhal did this get resolved with #18678 ?

[NattyNarwhal]

No, that was just a small refactor since the code was pretty ugly there.

[Girgias]

No, that was just a small refactor since the code was pretty ugly there.

Do you think this should be fixed on the SAPI side as this seems to also affect setcookie(), or fixed on the call site?

[NattyNarwhal]

I'm not sure, since I wasn't able to reproduce the issue on my side at the time.