From: pablo_sole at myp dot net dot ar Operating system: linux rh8 apache 1.3.27 PHP version: 4.3.2 PHP Bug Type: Session related Bug description: session_regenerate_id not delete the old session file
testing the new session_regenerate_id i see that after upgrade de SID, not unlink the old session file so, when you regenerate many times the session could be used to make a DoS, or at least is not what it's expected from the function. Checking the source code, the routine free the SID and assign the new, but not unlink the old file (just like in the php_session_destroy routine). A workaround could be unlink manualy on the fly, or patch the session.c file. Sorry my poor english, but is not my native language. Any question, mail me. pablo. PD: I not have any "specific setup" or extra modules compiled in, and for that reason i don't put it here. -- Edit bug report at http://bugs.php.net/?id=24096&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=24096&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=24096&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=24096&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=24096&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=24096&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=24096&r=support Expected behavior: http://bugs.php.net/fix.php?id=24096&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=24096&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=24096&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=24096&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24096&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=24096&r=dst IIS Stability: http://bugs.php.net/fix.php?id=24096&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=24096&r=gnused
