PHP and session.cookie_path - Heisenbug.

Submitted by michael on Tue, 02/18/2014 - 15:32
TIL: PHP's session.cookie_path defaults to '/', which is good. But if session.cookie_path is the empty string (''), then the cookie path is set relative to the current URL. If the request is to and the cookie path is '', then the cookie is set for - not as one might expect. But then the browser goes and saves it forever. And you can the same cookie id on multiple paths and then the expire and maybe some get reset during a logout/login cycle. But the old cookies are still in the browser and they haven't expired. And since they're already in the browser they override the newer cookies. But they don't correspond to a valid session, so you can't do anything in that URL anymore. Here's an example: Visit and login. Cookie with id=A gets set to /. Visit Cookie with id=A gets duplicated to /foo/bar, maybe because you're updating something in the session or the cookie expiry time and the cookie path is ''. Logout. PHP clears the session for cookie A, but the browser doesn't. This is expected. Return to and login. A new cookie with id=B gets set for /. Visit and the browser sends cookie with id=A. PHP gets the cookie but it doesn't correspond to a known session. So you can't do anything. I've been chasing this one for a couple of weeks.