ID: 24096
Comment by: mjs15451 at hotmail dot com
Reported By: pablo_sole at myp dot net dot ar
Status: Open
Bug Type: Feature/Change Request
Operating System: *
PHP Version: 5.*, 4.*
New Comment:
Thanks, Ilia, for implementing this option in PHP 5.1. I know many
people will be happy about this. :-)
Previous Comments:
------------------------------------------------------------------------
[2005-04-09 01:42:36] mjs15451 at hotmail dot com
Don't know if this works on PHP 4, but this is what I did to get
session_regenerate_id to delete the old session file in PHP 5. Replace
the session_regenerate_id function in session.c with this function I
modded:
PHP_FUNCTION(session_regenerate_id)
{
char *oldID = empty_string;
if (PS(session_status) == php_session_active) {
if (PS(id)) {
oldID = PS(id); //save old id
efree(PS(id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL
TSRMLS_CC);
php_session_reset_id(TSRMLS_C);
if (oldID != empty_string)
PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old
session file
RETURN_TRUE;
}
RETURN_FALSE;
}
------------------------------------------------------------------------
[2005-04-08 17:38:28] mjs15451 at hotmail dot com
I would definitely be for auto-destruction of the old session file as I
have come upon this problem as well and I have made a similar
enhancement suggestion under bug: http://bugs.php.net/bug.php?id=32631
------------------------------------------------------------------------
[2003-06-10 23:50:40] pablo_sole at myp dot net dot ar
You're right, in my own case i use this function to do a per-page
session (following OWASP's "Guide to Build Secure Web Applications" or
something like that), so what i'm doing is to refresh the id every time
a user do a request, but without lost the "statefulness". So, if you
think this need to be supported by the php sessions code, was an honor
help you, if not... i already do a little patch to support it on my own
server.
pablo.
------------------------------------------------------------------------
[2003-06-09 23:10:25] [EMAIL PROTECTED]
It is debatable whether the function should destroy the old session.
The current behaviour is useful under a number of circumstances.
Auto-destruction could be added as a new feature though.
-> Feature/Change request.
------------------------------------------------------------------------
[2003-06-09 09:42:08] pablo_sole at myp dot net dot ar
testing the new session_regenerate_id i see that after upgrade de SID,
not unlink the old session file so, when you regenerate many times the
session could be used to make a DoS, or at least is not what it's
expected from the function.
Checking the source code, the routine free the SID and assign the new,
but not unlink the old file (just like in the php_session_destroy
routine).
A workaround could be unlink manualy on the fly, or patch the session.c
file.
Sorry my poor english, but is not my native language.
Any question, mail me.
pablo.
PD: I not have any "specific setup" or extra modules compiled in, and
for that reason i don't put it here.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24096&edit=1
