PHP :: Bug #71472 :: session_regenerate_id malfunctions with certain session handlers

Bug #71472	session_regenerate_id malfunctions with certain session handlers
Submitted:	2016-01-28 03:03 UTC	Modified:	2016-01-28 03:49 UTC
From:	yohgaki@php.net	Assigned:	yohgaki (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.2	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yohgaki@php.net
New email:
PHP Version:		OS:

New Comment:

[2016-01-28 03:03 UTC] yohgaki@php.net

Description:
------------
session_regenerate_id() should open save handler before calling create_sid.

Patches

Pull Requests

Pull requests:

session_regenerate_id malfunctions with certain session handlers (php-src/1739)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-01-28 03:48 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2016-01-28 03:49 UTC] yohgaki@php.net

Description from the PR

The current order of session_regenerate_id seems to be:

    PS(mod)->s_close
    PS(mod)-> s_create_sid
    PS(mod)->s_open

This causes PS_CREATE_SID_FUNC to receive NULL data and it completely circumvents the original intention of PS_CREATE_SID_FUNC. (for example mod_files.c skips collision checks if data is NULL).

This doesn't seem to cause visible problems with built-in session handlers and not sure how to test this either.

t.php

<?php
ob_start();
ini_set ('session.save_path', '/tmp');

var_dump(session_start());
var_dump(session_regenerate_id(true));
?>

Relevant run on lldb:

lldb --file php -- t.php
(lldb) target create "/opt/php7/bin/php"
Current executable set to '/opt/php7/bin/php' (x86_64).
(lldb) settings set -- target.run-args  "t.php"
(lldb) breakpoint set --file mod_files.c --line 677
Breakpoint 1: where = php`ps_create_sid_files + 100 at mod_files.c:677, address = 0x00000001001cdc34
(lldb) run
Process 95005 launched: '/opt/php7/bin/php' (x86_64)
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p data
(ps_files *) $0 = 0x00000001020810f0
(lldb) p *data
(ps_files) $1 = (lastkey = 0x0000000000000000, basedir = "/tmp", basedir_len = 4, dirdepth = 0, st_size = 0, filemode = 384, fd = -1)
(lldb) cont
Process 95005 resuming
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (

sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p *data
error: Couldn't apply expression side effects : Couldn't dematerialize a result variable: couldn't read its memory
(lldb) p data
(ps_files *) $3 = 0x0000000000000000

	@mkoppanen 	Session regenerate id seems to malfunction with 3rd party session han… …

[2016-01-28 04:31 UTC] yohgaki@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

[2016-01-28 04:31 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-04-18 09:29 UTC] bwoebi@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

[2016-07-20 11:33 UTC] davey@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 10 02:01:26 2025 UTC