|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-04-08 02:03 UTC] mjs15451 at hotmail dot com
Description: ------------ I'm trying to build a secure application which can run in safe mode and prevent session fixation and hijacking. I would like to regenerate the session id on every request and delete the old sess_* file immediately after the new one is created. If I cannot delete it immediately, I have to rely on garbage collection which won't delete any files after the session expiration time of 24 minutes or whatever you set it to. As a result, this generates a lot of session files which takes up unnecessary space on the hard drive. The problem with this scenario is in safe mode I can't unlink the old session file because it's owned by the server process which is obviously not the same uid/gid as the php file. I can't use session_destroy as it just destroys the current session and when you start the session again, session_start just uses the same file name again. Would it be possible to give session_start the ability to inherit the same ownership of the file in which it is being called and apply that ownership to the sess_* file? Or perhaps would it be possible to have a flag for session_regenerate_id to unlink the old file immediately instead of relying on garbage collection? I'd rather not have to use session_set_save_handler if that's possible as the built-in functions are faster and I like speed. Reproduce code: --------------- session_start(); $oldSessionID = session_id(); /* new argument for session_regenerate_id could delete old sess_* file immediately? */ session_regenerate_id(); /* **OR** The sess_* file that was created with session_start(); could have the same ownership as the template that called it so that one could unlink it in safe mode? */ unlink(session_save_path(). "sess_" . $oldSessionID); Expected result: ---------------- Either session_regenerate_id() deletes the old session file or the sess_* file has the same ownership (and not the server process ownership it currently has) to make it possible to unlink in safe mode. Actual result: -------------- It's not possible to unlink old sess_* file in safe mode and/or session_regenerate_id() doesn't have the ability to delete the old session file. PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 06:00:01 2025 UTC |
Just modify session.c with this code and recompile php: PHP_FUNCTION(session_regenerate_id) { char *oldID = empty_string; if (PS(session_status) == php_session_active) { if (PS(id)) { oldID = PS(id); //save old id efree(PS(id)); } PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC); php_session_reset_id(TSRMLS_C); if (oldID != empty_string) PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old session file RETURN_TRUE; } RETURN_FALSE; }