Session's cookie domain (and possibly other attributes) is not handled (set) properly in some cases #121
Description
- Bug report?
yes - Feature request?
no - Version: discovered in
v2.3.8(still present inv2.4.4)
Description
If Nette\Http\Session instance is configured using camelCase-styled option names, eg. cookiePath, cookieDomain, etc. (as it is presented in docs: https://doc.nette.org/cs/2.3/sessions). and the client does this:
- (new request)
- Set up the
Sessioninstance- Either with
$session->setOptions(["cookieDomain" => ".domain.com"]) - Or in Nette framework using
.neonconfig
- Either with
- Start the session (do not output anything yet)
- Close the session (do not output anything yet)
- Start the session again (we should able to, we did not send any output yet)
The Nette\Http\Response's setCookie() method is being fired twice (and that's ok). But: the second call does NOT send the cookie's domain property properly - it is empty (as in PHP's default).
If Nette\Http\Session instance is configured using underscore_case-styled option names (eg. cookie_path, cookie_domain), everything works fine.
Steps To Reproduce
Minimum reproduction code: sessions_bug.zip
Expected behaviour
"Correct" (workaround-y) options:
$optionsOK = [
"cookie_path" => "/",
"cookie_domain" => ".domainok.com",
];
Expected output:
$ php index.php
Array
(
[name] => PHPSESSID
[value] => 3aeue4lsjhrhqs8de8ao8ilbp0
[time] => 0
[path] => /
[domain] => .domainok.com
[secure] =>
[httpOnly] => 1
)
Array
(
[name] => PHPSESSID
[value] => fgas2ttl3eku0ns6eth8c39r97
[time] => 0
[path] => /
[domain] => .domainok.com
[secure] =>
[httpOnly] => 1
)
Actual behaviour:
Options:
$optionsBug = [
"cookiePath" => "/",
"cookieDomain" => ".domainbug.com",
];
Output:
$ php index.php
Array
(
[name] => PHPSESSID
[value] => n441tegtvgc2u87j8jkmkvt4o1
[time] => 0
[path] => /
[domain] => .domainbug.com
[secure] =>
[httpOnly] => 1
)
Array
(
[name] => PHPSESSID
[value] => 3k8ercr7pe42ln86l9kn2t6836
[time] => 0
[path] => /
[domain] =>
[secure] =>
[httpOnly] => 1
)