There are three session variable names that SHOULD NOT be used. These are reserved for internal use by the core Sessionclass. If one of these reserved names is used, the Session::set() method will throw an invalid argument exception:

  • string $_SESSION['HTTPS']
  • string $_SESSION['HTTP_USER_AGENT']
  • array $_SESSION['SESSION_OBJECT_POOL']


The reserved $_SESSION['HTTPS'] and $_SESSION['HTTP_USER_AGENT'] session variables contain copies of the global $_SERVER['HTTPS'] and $_SERVER['HTTP_USER_AGENT'] server variables. The $_SESSION['HTTPS'] is used to regenerate the session ID if the client connection switches from plain HTTP to HTTP Secure (HTTP/S) and back. The $_SESSION['HTTP_USER_AGENT'] variable is used to notice any changes of the HTTP client or the client configuration.