It’s normal because it’s php doing that. We don’t set the header for phpsessionid. We can’t. It’s happening multiple times because we are starting and stopping the php session to add and removing items from it (but not 41 times). Which is normal (normal because Php adds the sessions 41 times)
Not to be the “a hole” here but if you believe this is a violation of RFC6265 then you need to go report it to php.
So then why does the admin side return a nice and lean response header?
How is the difference in response header behavior between the admin panel and the UCP a PHP issue?
Sorry for seemingly triggering a defensive response from you…
So here is a response from the PHP guys on an identical issue (Bug# 38104). Albeit there was significant discussion following their comment, I believe the consensus was that this isn’t a bug.
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php
Session is created every time you call session_start(). If you want to avoid multiple cookie, write better code. Multiple session_start() especially for the same names in the same script seems like a really bad idea.
I’m merely letting you know what sets phpsessid. You seem to be the only person with the issue. Since freepbx isn’t actually setting phpsessid but php is and php is setting it multiple times then php is violating the rfc not freepbx. The tool that is doing the job of setting phpsessid is violating the rfc. If asterisk violates an rfc do you report the bug against freepbx because freepbx uses asterisk? This is the reasoning.
The issue here is caused by output buffering in the UCP code.
The function headers_sent() will always return false when buffering the output. Only after the buffer is flushed out to the client will headers_sent return true. So, analyzing the code I do see an attempt to only call session_start() once in Session.class.php. However, because buffered output is used, headers_sent is always returning false, so you are indeed calling session_start() >40 times. The logic in Session.class.php is fundamentally flawed, imo.