Bug #61470 [Opn->Asn]: session_regenerate_id() do not create session file

Wed, 28 Mar 2012 01:03:02 -0700 

Edit report at https://bugs.php.net/bug.php?id=61470&edit=1

 ID:                 61470
 Updated by:         yohg...@php.net
 Reported by:        david at grudl dot com
 Summary:            session_regenerate_id() do not create session file
-Status:             Open
+Status:             Assigned
 Type:               Bug
 Package:            Session related
-Operating System:   Windows 7 x64
+Operating System:   ANY
 PHP Version:        5.4.0
-Assigned To:        
+Assigned To:        yohgaki
 Block user comment: N
 Private report:     N

 New Comment:

I have to deal with session ID collision detection in session_regenerate_id() 
for 
strict session.

I think I found what's wrong. Assigned to myself.


Previous Comments:
------------------------------------------------------------------------
[2012-03-27 16:23:37] david at grudl dot com

Usage of echo does not matter.

------------------------------------------------------------------------
[2012-03-25 21:00:29] riptide dot tempora at opinehub dot com

How much of the bug is caused by having an echo before session_regenerate_id() 
which tries to send a new cookie to the end-user?

------------------------------------------------------------------------
[2012-03-22 14:27:49] david at grudl dot com

Because this bug is very insidious and difficult to discover, I offer 
workaround 
https://github.com/nette/nette/commit/a4e4e80562cfb45d11d80e05d254fc207c456308#L0R241

$_SESSION is backed up before session_start() and restored to preserve the 
references.

------------------------------------------------------------------------
[2012-03-22 04:48:03] david at grudl dot com

Description:
------------
session_start() creates and locks session file, but session_regenerate_id() 
doesn't do it. After session_regenerate_id() session is started with new ID, 
but the file is not created immediately (is created when session is closed) and 
therefore is not locked. 

I think this causes bugs like #49462.



Test script:
---------------
$path = ini_get('session.save_path') . '/sess_';

session_start(); 
// starts session & creates and locks file
echo is_file($path . session_id()); // -> TRUE

session_regenerate_id();
// starts new session, but file is not create!
echo is_file($path . session_id()); // -> FALSE



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61470&edit=1

Reply via email to