I've upgraded to PHP 7.2 and these PHP warnings started to show up in the logs:
apache2: PHP Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /var/www/squirrelmail/functions/global.php on line 476
This seems to be caused by changes in session handling of PHP 7.2.
Itroduced somewhere around here:
https://github.com/php/php-src/commit/7f196e3
Other PHP apps also have problems with it, like Icinga:
https://github.com/Icinga/icingaweb2/issues/3185
fixed by this commit:
https://github.com/Icinga/icingaweb2/commit/dadd2c80f6819111f25e3799c072ec39c991897e
If I take a look at on global.php, the culprit function session_set_cookie_params gets called only in sqsession_start. It calls session_start only after session_set_cookie_params - so that shouldn't be the problem. Now sqsession_start only gets called from sqsession_is_active. Sqsession_is_active is called from multiple places in global.php: just as is, from session_register and from session_unregister as well. So the warning is probably generated because of multiple calls of the function.
There's also a comment:
// need to check if headers have been sent, since sqsession_is_active() // has become just a passthru to this function, so the sqsetcookie() // below is called every time, even after headers have already been sent
The involved code segment:
function sqsession_start() { global $base_uri; @session_set_cookie_params (0, $base_uri); @session_start(); // could be: sq_call_function_suppress_errors('session_start'); $session_id = session_id(); // session_starts sets the sessionid cookie but without the httponly var // setting the cookie again sets the httponly cookie attribute // // need to check if headers have been sent, since sqsession_is_active() // has become just a passthru to this function, so the sqsetcookie() // below is called every time, even after headers have already been sent // if (!headers_sent()) sqsetcookie(session_name(),$session_id,false,$base_uri); }
In the comments of sqsession_start one can run into this:
* Note that as sqsession_is_active() no longer discriminates as to when * it calls this function, session_start() has to have E_NOTICE suppression
I have two ideas here. Either prepend session_set_cookie_params with "@" to suppress warnings as it was commented for session_start or make it depend on header_sent(), just like for sqsetcookie. However I'm not sure here if header_sent can be called before the session has been started - considering calling the function for the first time.
OS: Gentoo Linux, x86_64, kernel 4.14.30
Apache: 2.4.33, PHP: 7.2.4, MySQL: 5.6.39
Squirrelmail: 1.4.23 SVN20180317
Please tell me in which direction to proceed!
Thanks:
Dwokfur
Other references:
https://stackoverflow.com/questions/47700336/php-7-2-warning-cannot-change-session-name-when-session-is-active
No patch?
I ran into this also after I upgraded from Fedora 28 to Fedora 29; I think that bumped PHP to 7.2 and triggered this.
I have tried a simplistic patch:
if (headers_sent()) return at the to, but that changed nothing.
I would really like to see this fixed.
I haven't analysed the code to work out why it wasn't conditional as its name and the comments suggested, but the following quick hack fixed it for me with PHP7.2 until a maintainer with a deeper understanding of the code can come up with an official fix.
--- functions/global.php-orig 2019-01-08 04:27:15.000000000 +0000
+++ functions/global.php 2019-01-24 05:09:34.605337591 +0000
@@ -454,6 +454,7 @@
*/
function sqsession_is_active() {
+ if (session_status() === PHP_SESSION_ACTIVE) { return; } // quick HACK for bug #2847
sqsession_start();
}
On 1/23/2019 10:00 PM, Adrian Butterworth wrote:
Yes, that got me past the login. I now get other things like
"create_function() is deprecated".
Thanks for the reply.
Lars Poulsen
The functionality has always been the same; PHP is just emitting a warning where it silently failed in the past. Fix will appear in our next nightly build.
I was actually still having this problem but I found that if you just // out the session_set_cookie_params (0, $base_uri); and leave the rest of that section alone, I was able to bypass the warning and get to the inbox, so far have had no issues at all since.
Better solution is to grab an updated copy of 1.4.23-svn
That is the version I am on...... Still had the issue.