Can you create a small example application that allows to reproduce your issue?

Thank for your help.
I do this soon as possible

This is the repo with the sample : https://github.com/Flofr/Bug-session-php7.2-sf2.8

You have to go on the login page /login with the login "test" and pwd "test"
The listener AuthenticationHandler change the session lifetime and throw the exception on PHP7.2

Hi,
Any news ? Did you reproduce the bug with my sources ?
I found another ticket in another project (using Symfony) where they talk about the same bug : zikula/core#3898

For helping you, the test in Symfony code is not complete.
This test is only for session migrate without parameter, but the bug is when you migrate with new lifetime.
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Tests/Session/SessionTest.php

I am not sure what we can do here. Maybe deprecate being able to pass a lifetime here?

@xabbuh is this still a bug ?

I think so.

What's wrong with using session_set_cookie_params? https://www.php.net/manual/en/function.session-set-cookie-params.php

Note that the manual might give the wrong impression that it's just a wrapper for ini_set, TIAS.

You're probably going to just have to session destroy then recreate or something.

$old = $_SESSION;

if ($destroy) {
 session_destroy();
} else {
 if ($howDoesRegenWork) {
  session_abort();
 } else {
  session_write_close();
 }
}

session_set_cookie_params($timeout);
session_start();
$_SESSION = $old;

Set what that does, otherwise may just have to look at the PHP source. Hopefully nothing unpleasant would be needed such as session_encode/session_decode, etc. Might want some other hacks for other places like session_id to set, etc.

Personally I usually end up just not using the PHP handler for sessions as it has been causing me headaches since 2008. You don't get proper locking, it's stuck as a singleton, etc. Don't know why you would make a framework only to fallback to a flawed by design session API. It's only good for prototyping, mockups and simple use cases.

We had a quite hard fight with this one (zikula/core#3898, zikula/core#3986, zikula/core#4078), but now I think this is solved.

You're probably going to just have to session destroy then recreate or something.

Yes. I finally found a fix that seems to work.

Background of the problem:

First, the NativeSessionStorage::regenerate method returns if there is no active session (see here). Afterwards it tries to set a given custom lifetime using ini_set (see here) which causes the original problem (Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time).

So what I did is this: zikula/core@e3b9d42...c7e625a It looks a bit confusing because I had to duplicate some code of the class in my child class (due to #35460).

The actual fix (it looks so simple) is replacing:

ini_set('session.cookie_lifetime', $lifetime);

by:

$this->save();
ini_set('session.cookie_lifetime', $lifetime);
$this->start();