I've developed an API which originally was only used via a browser and never noticed an issue however, I am now trying to connect to it via a third party Android library (OkHttpClient) and I've tested what I am seeing using a REST API test client (Insomnia.rest).
The problem I am having is when I perform the login action of the API I start a session and call session_regenerate_id(true); to avoid sticky session attacks (I'm not sure if that's proper name).
However, when I do this I return two PHPSESSID cookies as shown in the headers below:
< HTTP/1.1 200 OK
< Date: Thu, 18 Apr 2019 22:51:43 GMT
< Server: Apache/2.4.27 (Win64) PHP/7.1.9
< X-Powered-By: PHP/7.1.9
* cookie size: name/val 8 + 6 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: ClientID=413059; path=/
* cookie size: name/val 9 + 26 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: PHPSESSID=15u9j1p2oinfl5a8slh518ee9r; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
* cookie size: name/val 9 + 26 bytes
* cookie size: name/val 4 + 1 bytes
* Replaced cookie PHPSESSID="hkkffpj8ta9onsn92pp70r257v" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=hkkffpj8ta9onsn92pp70r257v; path=/
* cookie size: name/val 17 + 1 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: UsingGoogleSignIn=0; path=/
* cookie size: name/val 6 + 1 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: UserID=7; path=/
< Access-Control-Allow-Credentials: true
< Content-Length: 47
< Content-Type: application/json
As you can see from the above output there's two Set-Cookies with PHPSESSID. If I remove the session_regenerate_id I then only get the one PHPSESSID cookie and then the Android client successfully works.
I've exhibited this on Apache under Wamp on Windows 10 and Apache in production on a CentOS 7 build.
So question is, how can I generate a new PHP session ID without sending back two different PHPSESSID cookies?
from session_regenerate_id causes two PHPSESSID cookies to be returned
No comments:
Post a Comment