MFH: fix bug #32944 (Disabling session.use_cookies doesn't prevent reading session cookies)

2 files changed, 3 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 6e8c0e7104..1d0160864e 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,8 @@ PHP 4                                                                      NEWS
 - Fixed bug #33019 (socket errors cause memory leaks in php_strerror()). 
   (jwozniak23 at poczta dot onet dot pl, Tony).
 - Fixed bug #32974 (pcntl calls malloc() from a signal handler). (Wez)
+- Fixed bug #32944 (Disabling session.use_cookies doesn't prevent reading 
+  session cookies). (Jani, Tony)
 - Fixed bug #32936 (http redirects URLs are not checked for control chars). (Ilia)
 - Fixed bug #32932 (Oracle LDAP: ldap_get_entries invalid pointer). (Jani)
 - Fixed bug #32904 (pg_get_notify() ignores result_type parameter). (Tony)
diff --git a/ext/session/session.c b/ext/session/session.c
index 816f03f040..9904e7a9e7 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1015,7 +1015,7 @@ PHPAPI void php_session_start(TSRMLS_D)
 	 */
 
 	if (!PS(id)) {
-		if (zend_hash_find(&EG(symbol_table), "_COOKIE",
+		if (PS(use_cookies) && zend_hash_find(&EG(symbol_table), "_COOKIE",
 					sizeof("_COOKIE"), (void **) &data) == SUCCESS &&
 				Z_TYPE_PP(data) == IS_ARRAY &&
 				zend_hash_find(Z_ARRVAL_PP(data), PS(session_name),