Summary: action=logout incorrectly sets session cookie if no session exists
Created: 2009-01-19 07:13
Status: Closed (Added for 2.2.3)
Category: Bug
Priority: 4
Version: 2.2.0
OS: Apache 2.2 / PHP 5.2.0

Description: Performing an action=logout when not actually logged in causes PmWiki to set a session cookie. This is done by the call to session_start() in the HandleLogoutA function, on line 2034 of pmwiki.php.

If the user is actually logged in, the subsequent condition isset($_COOKIE[session_name()]) is true and a second Cookie header is sent to the browser, unsetting the session cookie.

However, if the user isn't logged in, that condition is false and the browser ends up with an extraneous session cookie. This is relevant in the context of FastCache, which uses the non-presence of said cookie to serve files from the disk cache.

To fix this, the following change is needed to pmwiki.php:

<   if (isset($_COOKIE[session_name()]))
>   if ( ( session_id() != '' ) || isset($_COOKIE[session_name()]) )

Source: http://php.net/manual/en/function.session-destroy.php#83844