php · kamil-tekiela · Aug 24, 2024 · Mar 1, 2024 · Apr 5, 2024 · May 3, 2024
@@ -808,6 +808,40 @@ static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */
 	return SUCCESS;
 } /* }}} */
 
+static PHP_INI_MH(OnUpdateUseOnlyCookies)
+{
+	SESSION_CHECK_ACTIVE_STATE;
+	SESSION_CHECK_OUTPUT_STATE;
+	bool *p = (bool *) ZEND_INI_GET_ADDR();
+	*p = zend_ini_parse_bool(new_value);
+	if (!*p) {
+		php_error_docref("session.configuration", E_DEPRECATED, "Disabling session.use_only_cookies INI setting is deprecated");
+	}
+	return SUCCESS;
+}
+
+static PHP_INI_MH(OnUpdateUseTransSid)
+{
+	SESSION_CHECK_ACTIVE_STATE;
+	SESSION_CHECK_OUTPUT_STATE;
+	bool *p = (bool *) ZEND_INI_GET_ADDR();
+	*p = zend_ini_parse_bool(new_value);
+	if (*p) {
+		php_error_docref("session.configuration", E_DEPRECATED, "Enabling session.use_trans_sid INI setting is deprecated");
+	}
+	return SUCCESS;
+}
+
+static PHP_INI_MH(OnUpdateRefererCheck)
+{
+	SESSION_CHECK_ACTIVE_STATE;
+	SESSION_CHECK_OUTPUT_STATE;
+	if (ZSTR_LEN(new_value) != 0) {
+		php_error_docref("session.configuration", E_DEPRECATED, "Usage of session.referer_check INI setting is deprecated");
+	}
+	return OnUpdateString(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
+}
+
 /* {{{ PHP_INI */
 PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.save_path",          "",          PHP_INI_ALL, OnUpdateSaveDir,       save_path,          php_ps_globals,    ps_globals)
@@ -825,12 +859,12 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateSessionString, cookie_samesite,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_only_cookies,   php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",         PHP_INI_ALL, OnUpdateUseOnlyCookies,   use_only_cookies,   php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_strict_mode",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   use_strict_mode,    php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateSessionString, extern_referer_chk, php_ps_globals,    ps_globals)
+	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateRefererCheck, extern_referer_chk, php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateSessionString, cache_limiter,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateSessionLong,   cache_expire,       php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   use_trans_sid,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_ALL, OnUpdateUseTransSid,   use_trans_sid,      php_ps_globals,    ps_globals)
 	PHP_INI_ENTRY("session.sid_length",             "32",        PHP_INI_ALL, OnUpdateSidLength)
 	PHP_INI_ENTRY("session.sid_bits_per_character", "4",         PHP_INI_ALL, OnUpdateSidBits)
 	STD_PHP_INI_BOOLEAN("session.lazy_write",       "1",         PHP_INI_ALL, OnUpdateSessionBool,    lazy_write,         php_ps_globals,    ps_globals)
@@ -1478,15 +1512,15 @@ PHPAPI zend_result php_session_reset_id(void) /* {{{ */
 			zval_ptr_dtor_str(sid);
 			ZVAL_STR(sid, smart_str_extract(&var));
 		} else {
-			REGISTER_STRINGL_CONSTANT("SID", ZSTR_VAL(var.s), ZSTR_LEN(var.s), 0);
+			REGISTER_STRINGL_CONSTANT("SID", ZSTR_VAL(var.s), ZSTR_LEN(var.s),  CONST_DEPRECATED);
 			smart_str_free(&var);
 		}
 	} else {
 		if (sid) {
 			zval_ptr_dtor_str(sid);
 			ZVAL_EMPTY_STRING(sid);
 		} else {
-			REGISTER_STRINGL_CONSTANT("SID", "", 0, 0);
+			REGISTER_STRINGL_CONSTANT("SID", "", 0, CONST_DEPRECATED);
 		}
 	}
 

@@ -20,10 +20,16 @@ error_reporting(E_ALL);
 
 session_id("test015");
 session_start();
+$sid = SID;
 ?>
-<a href="/link?<?php echo SID; ?>">
+<a href="/link?<?=$sid ?>">
 <?php
 session_destroy();
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
+
+Deprecated: Constant SID is deprecated in %s on line 6
 <a href="/link?PHPSESSID=test015&PHPSESSID=test015">
@@ -26,4 +26,7 @@ session_start();
 session_destroy();
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 <form accept-charset="ISO-8859-15, ISO-8859-1" action=url.php><input type="hidden" name="PHPSESSID" value="test018" />
@@ -27,4 +27,7 @@ session_start();
 session_destroy();
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 <a href="link.php?a=b&amp;PHPSESSID=test020">
@@ -59,7 +59,12 @@ ini_set("url_rewriter.tags", "a=href,fieldset=,area=href,frame=src,input=src");
 
 session_destroy();
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
+
+Deprecated: ini_set(): Usage of session.trans_sid_hosts INI setting is deprecated in %s on line 4
 <form action="//bad.net/do.php">
 <fieldset>
 <form action="//php.net/do.php"><input type="hidden" name="PHPSESSID" value="test021" />

@@ -30,6 +30,9 @@ session_start();
   </body>
 </html>
 --EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 <html>
   <head>
     <title>Bug #36459 Incorrect adding PHPSESSID to links, which contains \r\n</title>

@@ -27,4 +27,7 @@ session_start();
 session_destroy();
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 <a href="link.php?a=b&amp;PHPSESSID=bug41600">
@@ -34,5 +34,6 @@ foreach (glob($sessdir. "*") as $sessfile) {
 rmdir($sessdir);
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 hello world
 string(6) "100777"
@@ -25,6 +25,9 @@ session.use_only_cookies=0
 <a href=./>
 <a href="./">
 --EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 <a href="?PHPSESSID=%s"/>
 <a href="?PHPSESSID=%s" />
 <a href="foo?PHPSESSID=%s"/>

@@ -13,6 +13,7 @@ session_start();
 print_r(ob_list_handlers());
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
 Array
 (
 )
@@ -14,4 +14,5 @@ ob_start();
 echo "ok\n";
 ?>
 --EXPECT--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
 ok
@@ -5,6 +5,7 @@ session
 --SKIPIF--
 <?php include('skipif.inc'); ?>
 --INI--
+display_startup_errors=0
 session.save_handler=files
 session.auto_start=0
 session.use_cookies=1

@@ -31,8 +31,15 @@ session_start();
 var_dump(session_id(), SID);
 session_destroy();
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: ini_set(): Disabling session.use_only_cookies INI setting is deprecated in %s on line 6
+
+Deprecated: Constant SID is deprecated in %s on line 8
 string(12) "bug72940test"
 string(0) ""
+
+Deprecated: ini_set(): Disabling session.use_only_cookies INI setting is deprecated in %s on line 13
+
+Deprecated: Constant SID is deprecated in %s on line 15
 string(11) "bug72940get"
 string(21) "PHPSESSID=bug72940get"
@@ -1,15 +1,17 @@
 --TEST--
 Bug #74892 Url Rewriting (trans_sid) not working on urls that start with #
+--INI--
+session.use_cookies=0
+session.use_only_cookies=0
+session.use_trans_sid=1
 --EXTENSIONS--
 session
 --SKIPIF--
 <?php include('skipif.inc'); ?>
 --FILE--
 <?php
-ini_set('session.use_cookies', '0');
-ini_set('session.use_only_cookies',0);
-ini_set('session.use_trans_sid',1);
-ini_set('session.trans_sid_hosts','php.net');
+ob_start();
+ini_set('session.trans_sid_hosts','php.net'); // This value cannot be set in the INI file
 session_id('sessionidhere');
 session_start();
 
@@ -18,7 +20,12 @@ session_start();
 <p><a href="index.php#place">External link with anchor</a></p>
 <p><a href="http://php.net#foo">External link with anchor 2</a></p>
 <p><a href="#place">Internal link</a></p>
---EXPECT--
+--EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
+
+Deprecated: ini_set(): Usage of session.trans_sid_hosts INI setting is deprecated in %s on line 3
 <p><a href="index.php?PHPSESSID=sessionidhere">Click This Anchor Tag!</a></p>
 <p><a href="index.php?PHPSESSID=sessionidhere#place">External link with anchor</a></p>
 <p><a href="http://php.net?PHPSESSID=sessionidhere#foo">External link with anchor 2</a></p>

@@ -0,0 +1,64 @@
+--TEST--
+Deprecated GET/POST sessions
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--INI--
+session.use_cookies=0
+session.use_only_cookies=1
+session.use_trans_sid=0
+--FILE--
+<?php
+
+ob_start();
+
+// Expecting deprecation here
+ini_set("session.use_only_cookies", "0");
+// Expecting no deprecation
+ini_set("session.use_only_cookies", "1");
+
+// Expecting deprecation here
+ini_set("session.use_trans_sid", "1");
+// Expecting no deprecation
+ini_set("session.use_trans_sid", "0");
+
+// Expecting deprecation here
+ini_set("session.trans_sid_tags", "a=href");
+// Expecting no deprecation (default value)
+ini_set("session.trans_sid_tags", "a=href,area=href,frame=src,form=");
+
+// Expecting deprecation here
+ini_set("session.trans_sid_hosts", "php.net");
+// Expecting no deprecation (default value)
+ini_set("session.trans_sid_hosts", "");
+
+// Expecting deprecation here
+ini_set("session.referer_check", "php.net");
+// Expecting no deprecation (default value)
+ini_set("session.referer_check", "");
+
+// Setting deprecated values directly in session_start()
+// Expecting deprecation here
+session_start([ 'use_cookies' => '0', 'use_only_cookies' => '0', 'use_trans_sid' => '1']);
+
+echo SID;
+
+?>
+--EXPECTF--
+Deprecated: ini_set(): Disabling session.use_only_cookies INI setting is deprecated in %s on line 6
+
+Deprecated: ini_set(): Enabling session.use_trans_sid INI setting is deprecated in %s on line 11
+
+Deprecated: ini_set(): Usage of session.trans_sid_tags INI setting is deprecated in %s on line 16
+
+Deprecated: ini_set(): Usage of session.trans_sid_hosts INI setting is deprecated in %s on line 21
+
+Deprecated: ini_set(): Usage of session.referer_check INI setting is deprecated in %s on line 26
+
+Deprecated: session_start(): Disabling session.use_only_cookies INI setting is deprecated in %s on line 32
+
+Deprecated: session_start(): Enabling session.use_trans_sid INI setting is deprecated in %s on line 32
+
+Deprecated: Constant SID is deprecated in %s on line 34
+PHPSESSID=%s
@@ -14,4 +14,13 @@ session
 // We *must* set it here because the bug only triggers on a runtime edit
 ini_set('session.trans_sid_hosts','php.net');
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: PHP Startup: Disabling session.use_only_cookies INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Enabling session.use_trans_sid INI setting is deprecated in Unknown on line 0
+
+Deprecated: PHP Startup: Usage of session.trans_sid_hosts INI setting is deprecated in Unknown on line 0
+
+Deprecated: ini_set(): Usage of session.trans_sid_hosts INI setting is deprecated in %s on line 3
+
+Deprecated: PHP Request Shutdown: Usage of session.trans_sid_hosts INI setting is deprecated in Unknown on line 0
@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 disabled
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 disabled 2
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 no name
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 sid cookie
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 sid get
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -1,6 +1,7 @@
 --TEST--
 session rfc1867 sid get 2
 --INI--
+display_startup_errors=0
 file_uploads=1
 upload_max_filesize=1024
 session.save_path=

@@ -6,7 +6,6 @@ upload_max_filesize=1024
 session.save_path=
 session.name=PHPSESSID
 session.use_cookies=1
-session.use_only_cookies=0
 session.use_strict_mode=0
 session.auto_start=0
 session.upload_progress.enabled=1