#8543 Resolve Duplicate Headers

- Replace session name lookup with function to also check secure cookies - Added timeout which defaults to 0 (same as PHP) - Removed php7 style of session_start from PR - moved session_start into headers sent block to prevent warnings.
2024-06-29 07:59:31 +02:00 · 2018-12-03 12:28:21 +13:00 · 2018-12-03 12:28:21 +13:00 · 1edfa4d956
commit 1edfa4d956
parent 4eb6669c08
1 changed files with 18 additions and 26 deletions
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@ -301,20 +301,15 @@ class Session
        // If the session cookie is already set, then the session can be read even if headers_sent() = true
        // This helps with edge-case such as debugging.
        $data = [];
-        if (!session_id() && (!headers_sent() || !empty($_COOKIE[ini_get('session.name')]))) {
+        if (!session_id() && (!headers_sent() || $this->requestContainsSessionId($request))) {
            if (!headers_sent()) {
-                session_set_cookie_params($timeout, $path, $domain ?: null, $secure, true);
+                session_set_cookie_params($timeout ?: 0, $path, $domain ?: null, $secure, true);

                $limiter = $this->config()->get('sessionCacheLimiter');
                if (isset($limiter)) {
                    session_cache_limiter($limiter);
                }

-            // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
-            } else {
-                session_cache_limiter(null);
-            }
-
                // Allow storing the session in a non standard location
                if ($session_path) {
                    session_save_path($session_path);
@ -328,15 +323,12 @@ class Session
                    session_name($this->config()->get('cookie_name_secure'));
                }

-            $sessionParameters = [
-                "cookie_path" => $path,
-                "cookie_domain" => $domain ?: "",
-                "cookie_lifetime" => $timeout ?: 0,
-                "cookie_secure" => $secure,
-                "cookie_httponly" => true
-            ];
+                session_start();

-            session_start($sessionParameters);
+            } else {
+                // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
+                session_cache_limiter(null);
+            }

            if (isset($_SESSION)) {
                // Initialise data from session store if present