php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #24096 session_regenerate_id() should optionally delete the old session file
Submitted: 2003-06-09 09:42 UTC Modified: 2005-06-28 22:59 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: pablo_sole at myp dot net dot ar Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 5.*, 4.* OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2003-06-09 09:42 UTC] pablo_sole at myp dot net dot ar 
testing the new session_regenerate_id i see that after upgrade de SID, not unlink the old session file so, when you regenerate many times the session could be used to make a DoS, or at least is not what it's expected from the function.

Checking the source code, the routine free the SID and assign the new, but not unlink the old file (just like in the php_session_destroy routine).

A workaround could be unlink manualy on the fly, or patch the session.c file.

Sorry my poor english, but is not my native language.

Any question, mail me.

pablo.

PD: I not have any "specific setup" or extra modules compiled in, and for that reason i don't put it here.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-09 23:10 UTC] sas@php.net 
It is debatable whether the function should destroy the old session.  The current behaviour is useful under a number of circumstances. Auto-destruction could be added as a new feature though.

 -> Feature/Change request.
 [2003-06-10 23:50 UTC] pablo_sole at myp dot net dot ar 
You're right, in my own case i use this function to do a per-page session (following OWASP's "Guide to Build Secure Web Applications" or something like that), so what i'm doing is to refresh the id every time a user do a request, but without lost the "statefulness". So, if you think this need to be supported by the php sessions code, was an honor help you, if not... i already do a little patch to support it on my own server.

pablo.
 [2005-04-08 17:38 UTC] mjs15451 at hotmail dot com 
I would definitely be for auto-destruction of the old session file as I have come upon this problem as well and I have made a similar enhancement suggestion under bug: http://bugs.php.net/bug.php?id=32631
 [2005-04-09 01:42 UTC] mjs15451 at hotmail dot com 
Don't know if this works on PHP 4, but this is what I did to get session_regenerate_id to delete the old session file in PHP 5.  Replace the session_regenerate_id function in session.c with this function I modded:

PHP_FUNCTION(session_regenerate_id)
{
        char *oldID = empty_string;
        if (PS(session_status) == php_session_active) {
                if (PS(id)) {
                        oldID = PS(id); //save old id
                        efree(PS(id));
                }

                PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);

                php_session_reset_id(TSRMLS_C);

                if (oldID != empty_string) PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old session file

                RETURN_TRUE;
        }
        RETURN_FALSE;
}
 [2005-06-28 22:52 UTC] mjs15451 at hotmail dot com 
Thanks, Ilia, for implementing this option in PHP 5.1. I know many people will be happy about this.  :-)
 [2005-06-28 22:59 UTC] nlopess@php.net 
As last comment says, this feature was added to PHP 5.1.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 15:01:27 2025 UTC