Edit report at https://bugs.php.net/bug.php?id=61470&edit=1
ID: 61470 User updated by: david at grudl dot com Reported by: david at grudl dot com Summary: session_regenerate_id() do not create session file Status: Open Type: Bug Package: Session related Operating System: Windows 7 x64 PHP Version: 5.4.0 Block user comment: N Private report: N New Comment: Usage of echo does not matter. Previous Comments: ------------------------------------------------------------------------ [2012-03-25 21:00:29] riptide dot tempora at opinehub dot com How much of the bug is caused by having an echo before session_regenerate_id() which tries to send a new cookie to the end-user? ------------------------------------------------------------------------ [2012-03-22 14:27:49] david at grudl dot com Because this bug is very insidious and difficult to discover, I offer workaround https://github.com/nette/nette/commit/a4e4e80562cfb45d11d80e05d254fc207c456308#L0R241 $_SESSION is backed up before session_start() and restored to preserve the references. ------------------------------------------------------------------------ [2012-03-22 04:48:03] david at grudl dot com Description: ------------ session_start() creates and locks session file, but session_regenerate_id() doesn't do it. After session_regenerate_id() session is started with new ID, but the file is not created immediately (is created when session is closed) and therefore is not locked. I think this causes bugs like #49462. Test script: --------------- $path = ini_get('session.save_path') . '/sess_'; session_start(); // starts session & creates and locks file echo is_file($path . session_id()); // -> TRUE session_regenerate_id(); // starts new session, but file is not create! echo is_file($path . session_id()); // -> FALSE ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=61470&edit=1
