PHP and session.cookie_path – Heisenbug.

TIL: PHP’s session.cookie_path defaults to ‘/’, which is good. But if session.cookie_path is the empty string (”), then the cookie path is set relative to the current URL.

If the request is to example.com/foo/bar/bax.php and the cookie path is ”, then the cookie is set for example.com/foo/bar – not example.com/ as one might expect.

But then the browser goes and saves it forever. And you can the same cookie id on multiple paths and then the expire and maybe some get reset during a logout/login cycle. But the old cookies are still in the browser and they haven’t expired. And since they’re already in the browser they override the newer cookies. But they don’t correspond to a valid session, so you can’t do anything in that URL anymore.

Here’s an example:

Visit example.com/ and login. Cookie with id=A gets set to /. Visit example.com/foo/bar/bax.php. Cookie with id=A gets duplicated to /foo/bar, maybe because you’re updating something in the session or the cookie expiry time and the cookie path is ”. Logout. PHP clears the session for cookie A, but the browser doesn’t. This is expected.

Return to example.com and login. A new cookie with id=B gets set for /. Visit example.com/foo/bar/bax.php and the browser sends cookie with id=A. PHP gets the cookie but it doesn’t correspond to a known session. So you can’t do anything.

I’ve been chasing this one for a couple of weeks.