ID: 32631 User updated by: mjs15451 at hotmail dot com Reported By: mjs15451 at hotmail dot com -Status: Bogus +Status: Open -Bug Type: Session related +Bug Type: Feature/Change Request Operating System: * PHP Version: 4.*, 5.* New Comment:
I wouldn't have mentioned it if I thought there was some documentation for it somewhere. Couldn't this be considered as en enhancement suggestion? Previous Comments: ------------------------------------------------------------------------ [2005-04-08 09:10:24] [EMAIL PROTECTED] Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. This is not a support forum. ------------------------------------------------------------------------ [2005-04-08 02:03:04] mjs15451 at hotmail dot com Description: ------------ I'm trying to build a secure application which can run in safe mode and prevent session fixation and hijacking. I would like to regenerate the session id on every request and delete the old sess_* file immediately after the new one is created. If I cannot delete it immediately, I have to rely on garbage collection which won't delete any files after the session expiration time of 24 minutes or whatever you set it to. As a result, this generates a lot of session files which takes up unnecessary space on the hard drive. The problem with this scenario is in safe mode I can't unlink the old session file because it's owned by the server process which is obviously not the same uid/gid as the php file. I can't use session_destroy as it just destroys the current session and when you start the session again, session_start just uses the same file name again. Would it be possible to give session_start the ability to inherit the same ownership of the file in which it is being called and apply that ownership to the sess_* file? Or perhaps would it be possible to have a flag for session_regenerate_id to unlink the old file immediately instead of relying on garbage collection? I'd rather not have to use session_set_save_handler if that's possible as the built-in functions are faster and I like speed. Reproduce code: --------------- session_start(); $oldSessionID = session_id(); /* new argument for session_regenerate_id could delete old sess_* file immediately? */ session_regenerate_id(); /* **OR** The sess_* file that was created with session_start(); could have the same ownership as the template that called it so that one could unlink it in safe mode? */ unlink(session_save_path(). "sess_" . $oldSessionID); Expected result: ---------------- Either session_regenerate_id() deletes the old session file or the sess_* file has the same ownership (and not the server process ownership it currently has) to make it possible to unlink in safe mode. Actual result: -------------- It's not possible to unlink old sess_* file in safe mode and/or session_regenerate_id() doesn't have the ability to delete the old session file. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32631&edit=1
