session_starts sends duplicate Set-Cookie

[kamil-tekiela]

Description

The following code:

<?php

session_id('mysessionid');

session_start();
session_write_close();
session_start();

Resulted in this output:

HTTP/1.1 200 OK
Date: Mon, 19 May 2025 15:51:57 GMT
Server: Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.4.0
Set-Cookie: PHPSESSID=mysessionid; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=mysessionid; path=/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

But I expected this output instead:

HTTP/1.1 200 OK
Date: Mon, 19 May 2025 15:51:57 GMT
Server: Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.4.0

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=mysessionid; path=/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

I tried with output buffering on and off. If I remove session_id() I cannot reproduce it again, but I only used it to create a reproducible example, as in the real project, it's sending duplicate headers even without it.

PHP Version

PHP 8.4 and Apache 2.4.62

> Apache/2.4.62 (Win64) PHP/8.4.0 mod_fcgid/2.3.10-dev

Operating System

Windows 10

[kamil-tekiela]

Putting ini_set('session.use_cookies', 'false'); before the second session_start helps but it shouldn't be required. This becomes evident when you execute the script 2 times. The second time there should be 0 Set-Cookie but I still see 2 without this line and 0 with this line.

[kkmuffme]

See #18169

[kamil-tekiela]

I don't know about setcookie() but as I understand session_start() already has this feature build in. It just doesn't seem to work properly.