ID: 32631 Updated by: [EMAIL PROTECTED] Reported By: mjs15451 at hotmail dot com -Status: Open +Status: Bogus Bug Type: Feature/Change Request Operating System: * PHP Version: 4.*, 5.* New Comment:
Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely to be the same. Thank you for your interest in PHP. Yes, this is the same feature-request as what you referred to. Thank you for polluting the bug db with another. Previous Comments: ------------------------------------------------------------------------ [2005-04-09 01:29:24] mjs15451 at hotmail dot com Just modify session.c with this code and recompile php: PHP_FUNCTION(session_regenerate_id) { char *oldID = empty_string; if (PS(session_status) == php_session_active) { if (PS(id)) { oldID = PS(id); //save old id efree(PS(id)); } PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC); php_session_reset_id(TSRMLS_C); if (oldID != empty_string) PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old session file RETURN_TRUE; } RETURN_FALSE; } ------------------------------------------------------------------------ [2005-04-08 17:39:52] mjs15451 at hotmail dot com I believe this could be considered as a similar enhancement suggestion to bug: http://bugs.php.net/bug.php?id=24096 ------------------------------------------------------------------------ [2005-04-08 02:03:04] mjs15451 at hotmail dot com Description: ------------ I'm trying to build a secure application which can run in safe mode and prevent session fixation and hijacking. I would like to regenerate the session id on every request and delete the old sess_* file immediately after the new one is created. If I cannot delete it immediately, I have to rely on garbage collection which won't delete any files after the session expiration time of 24 minutes or whatever you set it to. As a result, this generates a lot of session files which takes up unnecessary space on the hard drive. The problem with this scenario is in safe mode I can't unlink the old session file because it's owned by the server process which is obviously not the same uid/gid as the php file. I can't use session_destroy as it just destroys the current session and when you start the session again, session_start just uses the same file name again. Would it be possible to give session_start the ability to inherit the same ownership of the file in which it is being called and apply that ownership to the sess_* file? Or perhaps would it be possible to have a flag for session_regenerate_id to unlink the old file immediately instead of relying on garbage collection? I'd rather not have to use session_set_save_handler if that's possible as the built-in functions are faster and I like speed. Reproduce code: --------------- session_start(); $oldSessionID = session_id(); /* new argument for session_regenerate_id could delete old sess_* file immediately? */ session_regenerate_id(); /* **OR** The sess_* file that was created with session_start(); could have the same ownership as the template that called it so that one could unlink it in safe mode? */ unlink(session_save_path(). "sess_" . $oldSessionID); Expected result: ---------------- Either session_regenerate_id() deletes the old session file or the sess_* file has the same ownership (and not the server process ownership it currently has) to make it possible to unlink in safe mode. Actual result: -------------- It's not possible to unlink old sess_* file in safe mode and/or session_regenerate_id() doesn't have the ability to delete the old session file. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32631&edit=1