ID: 24096
Updated by: [EMAIL PROTECTED]
Reported By: pablo_sole at myp dot net dot ar
-Status: Open
+Status: Closed
Bug Type: Feature/Change Request
Operating System: *
PHP Version: 5.*, 4.*
New Comment:
As last comment says, this feature was added to PHP 5.1.
Previous Comments:
------------------------------------------------------------------------
[2005-06-28 22:52:27] mjs15451 at hotmail dot com
Thanks, Ilia, for implementing this option in PHP 5.1. I know many
people will be happy about this. :-)
------------------------------------------------------------------------
[2005-04-09 01:42:36] mjs15451 at hotmail dot com
Don't know if this works on PHP 4, but this is what I did to get
session_regenerate_id to delete the old session file in PHP 5. Replace
the session_regenerate_id function in session.c with this function I
modded:
PHP_FUNCTION(session_regenerate_id)
{
char *oldID = empty_string;
if (PS(session_status) == php_session_active) {
if (PS(id)) {
oldID = PS(id); //save old id
efree(PS(id));
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL
TSRMLS_CC);
php_session_reset_id(TSRMLS_C);
if (oldID != empty_string)
PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old
session file
RETURN_TRUE;
}
RETURN_FALSE;
}
------------------------------------------------------------------------
[2005-04-08 17:38:28] mjs15451 at hotmail dot com
I would definitely be for auto-destruction of the old session file as I
have come upon this problem as well and I have made a similar
enhancement suggestion under bug: http://bugs.php.net/bug.php?id=32631
------------------------------------------------------------------------
[2003-06-10 23:50:40] pablo_sole at myp dot net dot ar
You're right, in my own case i use this function to do a per-page
session (following OWASP's "Guide to Build Secure Web Applications" or
something like that), so what i'm doing is to refresh the id every time
a user do a request, but without lost the "statefulness". So, if you
think this need to be supported by the php sessions code, was an honor
help you, if not... i already do a little patch to support it on my own
server.
pablo.
------------------------------------------------------------------------
[2003-06-09 23:10:25] [EMAIL PROTECTED]
It is debatable whether the function should destroy the old session.
The current behaviour is useful under a number of circumstances.
Auto-destruction could be added as a new feature though.
-> Feature/Change request.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/24096
--
Edit this bug report at http://bugs.php.net/?id=24096&edit=1
