ID: 32631
Updated by: [EMAIL PROTECTED]
Reported By: mjs15451 at hotmail dot com
-Status: Open
+Status: Bogus
Bug Type: Feature/Change Request
Operating System: *
PHP Version: 4.*, 5.*
New Comment:
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same.
Thank you for your interest in PHP.
Yes, this is the same feature-request as what you referred to. Thank
you for polluting the bug db with another.
Previous Comments:
------------------------------------------------------------------------
[2005-04-09 01:29:24] mjs15451 at hotmail dot com
Just modify session.c with this code and recompile php:
PHP_FUNCTION(session_regenerate_id)
{
char *oldID = empty_string;
if (PS(session_status) == php_session_active) {
if (PS(id)) {
oldID = PS(id); //save old id
efree(PS(id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL
TSRMLS_CC);
php_session_reset_id(TSRMLS_C);
if (oldID != empty_string)
PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old
session file
RETURN_TRUE;
}
RETURN_FALSE;
}
------------------------------------------------------------------------
[2005-04-08 17:39:52] mjs15451 at hotmail dot com
I believe this could be considered as a similar enhancement suggestion
to bug: http://bugs.php.net/bug.php?id=24096
------------------------------------------------------------------------
[2005-04-08 02:03:04] mjs15451 at hotmail dot com
Description:
------------
I'm trying to build a secure application which can run in safe mode and
prevent session fixation and hijacking. I would like to regenerate the
session id on every request and delete the old sess_* file immediately
after the new one is created. If I cannot delete it immediately, I
have to rely on garbage collection which won't delete any files after
the session expiration time of 24 minutes or whatever you set it to.
As a result, this generates a lot of session files which takes up
unnecessary space on the hard drive. The problem with this scenario is
in safe mode I can't unlink the old session file because it's owned by
the server process which is obviously not the same uid/gid as the php
file. I can't use session_destroy as it just destroys the current
session and when you start the session again, session_start just uses
the same file name again. Would it be possible to give session_start
the ability to inherit the same ownership of the file in which it is
being called and apply that ownership to the sess_* file? Or perhaps
would it be possible to have a flag for session_regenerate_id to unlink
the old file immediately instead of relying on garbage collection? I'd
rather not have to use session_set_save_handler if that's possible as
the built-in functions are faster and I like speed.
Reproduce code:
---------------
session_start();
$oldSessionID = session_id();
/*
new argument for session_regenerate_id could delete old sess_* file
immediately?
*/
session_regenerate_id();
/* **OR** The sess_* file that was created with session_start(); could
have the same ownership as the template that called it so that one
could unlink it in safe mode? */
unlink(session_save_path(). "sess_" . $oldSessionID);
Expected result:
----------------
Either session_regenerate_id() deletes the old session file or the
sess_* file has the same ownership (and not the server process
ownership it currently has) to make it possible to unlink in safe mode.
Actual result:
--------------
It's not possible to unlink old sess_* file in safe mode and/or
session_regenerate_id() doesn't have the ability to delete the old
session file.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32631&edit=1
