Fixed session cookie is being set twice in the HTTP header [#2745]

2026-05-06 18:26:06 +02:00 · 2019-12-10 16:06:54 +02:00
parent 842dc0d49e
commit 3a8775f545
2 changed files with 22 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,9 @@
 # v1.6.20
-## 12/04/2019
+## mm/dd/2019

 1. [](#bugfix)
-    * Incorrect routing caused by `str_replace()` in `Uri::init()` [#2754](https://github.com/getgrav/grav/issues/2754)
+    * Fixed incorrect routing caused by `str_replace()` in `Uri::init()` [#2754](https://github.com/getgrav/grav/issues/2754)
+    * Fixed session cookie is being set twice in the HTTP header [#2745](https://github.com/getgrav/grav/issues/2745)

 # v1.6.19
 ## 12/04/2019
--- a/system/src/Grav/Framework/Session/Session.php
+++ b/system/src/Grav/Framework/Session/Session.php
@@ -178,9 +178,13 @@ class Session implements SessionInterface
            return $this;
        }

+        $sessionName = session_name();
+        $sessionExists = isset($_COOKIE[$sessionName]);
+
        // Protection against invalid session cookie names throwing exception: http://php.net/manual/en/function.session-id.php#116836
-        if (isset($_COOKIE[session_name()]) && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) {
-            unset($_COOKIE[session_name()]);
+        if ($sessionExists && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[$sessionName])) {
+            unset($_COOKIE[$sessionName]);
+            $sessionExists = false;
        }

        $options = $this->options;
@@ -202,17 +206,20 @@ class Session implements SessionInterface
            throw new SessionException('User Invalid', 500);
        }

-        $params = session_get_cookie_params();
+        // Extend the lifetime of the session.
+        if ($sessionExists) {
+            $params = session_get_cookie_params();

-        setcookie(
-            session_name(),
-            session_id(),
-            time() + $params['lifetime'],
-            $params['path'],
-            $params['domain'],
-            $params['secure'],
-            $params['httponly']
-        );
+            setcookie(
+                $sessionName,
+                session_id(),
+                time() + $params['lifetime'],
+                $params['path'],
+                $params['domain'],
+                $params['secure'],
+                $params['httponly']
+            );
+        }

        $this->started = true;