Menu

#2847 Cannot change session cookie parameters when session is active

Produces PHP errors
closed-fixed
Paul Lesniewski
None
5
2019-08-11
2018-03-31
Toth Attila MD
No

I've upgraded to PHP 7.2 and these PHP warnings started to show up in the logs:

apache2: PHP Warning:  session_set_cookie_params(): Cannot change session cookie parameters when session is active in /var/www/squirrelmail/functions/global.php on line 476

This seems to be caused by changes in session handling of PHP 7.2.
Itroduced somewhere around here:
https://github.com/php/php-src/commit/7f196e3
Other PHP apps also have problems with it, like Icinga:
https://github.com/Icinga/icingaweb2/issues/3185
fixed by this commit:
https://github.com/Icinga/icingaweb2/commit/dadd2c80f6819111f25e3799c072ec39c991897e

If I take a look at on global.php, the culprit function session_set_cookie_params gets called only in sqsession_start. It calls session_start only after session_set_cookie_params - so that shouldn't be the problem. Now sqsession_start only gets called from sqsession_is_active. Sqsession_is_active is called from multiple places in global.php: just as is, from session_register and from session_unregister as well. So the warning is probably generated because of multiple calls of the function.
There's also a comment:

    // need to check if headers have been sent, since sqsession_is_active()
    // has become just a passthru to this function, so the sqsetcookie()
    // below is called every time, even after headers have already been sent

The involved code segment:

function sqsession_start() {
    global $base_uri;

    @session_set_cookie_params (0, $base_uri);
    @session_start();
    // could be: sq_call_function_suppress_errors('session_start');
    $session_id = session_id();

    // session_starts sets the sessionid cookie but without the httponly var
    // setting the cookie again sets the httponly cookie attribute
    //
    // need to check if headers have been sent, since sqsession_is_active()
    // has become just a passthru to this function, so the sqsetcookie()
    // below is called every time, even after headers have already been sent
    //
    if (!headers_sent())
       sqsetcookie(session_name(),$session_id,false,$base_uri);
}

In the comments of sqsession_start one can run into this:

 * Note that as sqsession_is_active() no longer discriminates as to when
 * it calls this function, session_start() has to have E_NOTICE suppression

I have two ideas here. Either prepend session_set_cookie_params with "@" to suppress warnings as it was commented for session_start or make it depend on header_sent(), just like for sqsetcookie. However I'm not sure here if header_sent can be called before the session has been started - considering calling the function for the first time.

OS: Gentoo Linux, x86_64, kernel 4.14.30
Apache: 2.4.33, PHP: 7.2.4, MySQL: 5.6.39
Squirrelmail: 1.4.23 SVN20180317

Please tell me in which direction to proceed!

Thanks:
Dwokfur

Other references:
https://stackoverflow.com/questions/47700336/php-7-2-warning-cannot-change-session-name-when-session-is-active

Discussion

  • Yaroslav Savchenko

    Yaroslav Savchenko - 2019-01-12

    No patch?

     

  • Lars J Poulsen

    Lars J Poulsen - 2019-01-20

    I ran into this also after I upgraded from Fedora 28 to Fedora 29; I think that bumped PHP to 7.2 and triggered this.
    I have tried a simplistic patch:
    if (headers_sent()) return at the to, but that changed nothing.

    I would really like to see this fixed.

     

  • Adrian Butterworth

    Adrian Butterworth - 2019-01-24

    I haven't analysed the code to work out why it wasn't conditional as its name and the comments suggested, but the following quick hack fixed it for me with PHP7.2 until a maintainer with a deeper understanding of the code can come up with an official fix.

    --- functions/global.php-orig 2019-01-08 04:27:15.000000000 +0000
    +++ functions/global.php 2019-01-24 05:09:34.605337591 +0000
    @@ -454,6 +454,7 @@
    */

    function sqsession_is_active() {
    + if (session_status() === PHP_SESSION_ACTIVE) { return; } // quick HACK for bug #2847
    sqsession_start();
    }

     

    • Lars J Poulsen

      Lars J Poulsen - 2019-01-24

      On 1/23/2019 10:00 PM, Adrian Butterworth wrote:

      I haven't analysed the code to work out why it wasn't conditional as
      its name and the comments suggested, but the following quick hack
      fixed it for me with PHP7.2 until a maintainer with a deeper
      understanding of the code can come up with an official fix.

      --- functions/global.php-orig 2019-01-08 04:27:15.000000000 +0000
      +++ functions/global.php 2019-01-24 05:09:34.605337591 +0000
      @@ -454,6 +454,7 @@
      */

      function sqsession_is_active() {
      + if (session_status() === PHP_SESSION_ACTIVE) { return; } // quick
      HACK for bug #2847
      sqsession_start();
      }

      Yes, that got me past the login. I now get other things like
      "create_function() is deprecated".

      Thanks for the reply.

      Lars Poulsen

       
      alternate

  • Paul Lesniewski

    Paul Lesniewski - 2019-04-16
    • status: open --> closed-fixed
    • assigned_to: Paul Lesniewski
     

  • Paul Lesniewski

    Paul Lesniewski - 2019-04-16

    The functionality has always been the same; PHP is just emitting a warning where it silently failed in the past. Fix will appear in our next nightly build.

     

  • Koltin Binford

    Koltin Binford - 2019-08-08

    I was actually still having this problem but I found that if you just // out the session_set_cookie_params (0, $base_uri); and leave the rest of that section alone, I was able to bypass the warning and get to the inbox, so far have had no issues at all since.

     

    • Paul Lesniewski

      Paul Lesniewski - 2019-08-10

      Better solution is to grab an updated copy of 1.4.23-svn

       

      • Koltin Binford

        Koltin Binford - 2019-08-11

        That is the version I am on...... Still had the issue.

         

Log in to post a comment.