What application component in a LAMP stack, sets the "Set-Cookie" header

Question

The application I'm working with accepts three different types of login. Automatically if the client connects from certain IP-adresses, or a POST request, either from a normal browser rendered form, or towards a JSON reading API-endpoint.

All three options boil down to calling the same functions for registering the user as logged in, and generating a session.

Despite the code paths being the same as far as I can determine, two of these consistently work, while one consistently fails to add a 'Set-Cookie' header to the response, even though the application logic generates a sessionid that gets sent in the reponse body.

Never having needed to dig into how session authentication works to this level of detail, I realise I don't understand. where the 'Set-Cookie' header, should come from . Should application logic always build the header manually? Will PHP do it automatically once session_start() is called? Does Apache do it based on other parts of the header?

I sort of ruled out 1 by failing to find anything with grep -ri "set.cookie" * in the codebase I'm working with.

Answer 1

session_start sends a session cache limiter and a session cookie (or sets a $_GET key with your PHPSESSID).

This function is where the Set-Cookie paramater is sent from. Apache will then pass it back to the browser when it sends the page back.

You need to remember however that storing the cookie is actually up to the browser . By and large they will be set without issue, but certain conditions will stop this from happening, such as the security settings in Internet Explorer or the user rejecting cookies entirely.

Further reading:

http://www.php.net/manual/en/function.session-start.php

http://www.php.net/manual/en/function.session-get-cookie-params.php

http://www.php.net/manual/en/function.session-status.php