|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #32631 sess_* owner & session_regenerate_id
Submitted: 2005-04-08 02:03 UTC Modified: 2005-06-27 23:26 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: mjs15451 at hotmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.*, 5.* OS: *
Private report: No CVE-ID:
 [2005-04-08 02:03 UTC] mjs15451 at hotmail dot com
I'm trying to build a secure application which can run in safe mode and prevent session fixation and hijacking.  I would like to regenerate the session id on every request and delete the old sess_* file immediately after the new one is created.  If I cannot delete it immediately, I have to rely on garbage collection which won't delete any files after the session expiration time of 24 minutes or whatever you set it to.  As a result, this generates a lot of session files which takes up unnecessary space on the hard drive.  The problem with this scenario is in safe mode I can't unlink the old session file because it's owned by the server process which is obviously not the same uid/gid as the php file.  I can't use session_destroy as it just destroys the current session and when you start the session again, session_start just uses the same file name again.  Would it be possible to give session_start the ability to inherit the same ownership of the file in which it is being called and apply that ownership to the sess_* file?  Or perhaps would it be possible to have a flag for session_regenerate_id to unlink the old file immediately instead of relying on garbage collection?  I'd rather not have to use session_set_save_handler if that's possible as the built-in functions are faster and I like speed.

Reproduce code:
$oldSessionID = session_id();

new argument for session_regenerate_id could delete old sess_* file immediately? 


/* **OR** The sess_* file that was created with session_start(); could have the same ownership as the template that called it so that one could unlink it in safe mode? */

unlink(session_save_path(). "sess_" . $oldSessionID);

Expected result:
Either session_regenerate_id() deletes the old session file or the sess_* file has the same ownership (and not the server process ownership it currently has) to make it possible to unlink in safe mode.

Actual result:
It's not possible to unlink old sess_* file in safe mode and/or session_regenerate_id() doesn't have the ability to delete the old session file.  


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-08 17:39 UTC] mjs15451 at hotmail dot com
I believe this could be considered as a similar enhancement suggestion to bug:
 [2005-04-09 01:29 UTC] mjs15451 at hotmail dot com
Just modify session.c with this code and recompile php: 

        char *oldID = empty_string;
        if (PS(session_status) == php_session_active) {
                if (PS(id)) {
                        oldID = PS(id); //save old id

                PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);


                if (oldID != empty_string) PS(mod)->s_destroy(&PS(mod_data), oldID TSRMLS_CC); //delete old session file

 [2005-06-27 23:26 UTC]
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

Yes, this is the same feature-request as what you referred to.  Thank you for polluting the bug db with another.

PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC