php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #65746 session_regenerate_id() should not delete old session data immediately.
Submitted: 2013-09-23 22:41 UTC Modified: 2017-10-24 03:06 UTC
Votes:4
Avg. Score:3.5 ± 1.5
Reproduced:2 of 3 (66.7%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 5.5Git-2013-09-23 (Git) OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-09-23 22:41 UTC] yohgaki@php.net
Description:
------------
session_regenerate_id() do not delete old session data.
It should delete old data.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-23 22:41 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2013-09-23 23:17 UTC] requinix@php.net
It doesn't?

bool session_regenerate_id ([ bool $delete_old_session = false ] )
 [2013-09-24 01:02 UTC] yohgaki@php.net
-Type: Bug +Type: Feature/Change Request
 [2013-09-24 01:02 UTC] yohgaki@php.net
Make this to change request :)
 [2014-03-06 15:26 UTC] narf at devilix dot net
Shouldn't this one be closed already?
 [2014-03-12 06:43 UTC] yohgaki@php.net
Unfortunately no.
To delete old session properly, old session data should be deleted after a while. This behavior is under discussion now.
 [2014-03-12 11:44 UTC] narf at devilix dot net
Huh, well ... it was last discussed 4 months ago and the RFC hasn't been updated since.
 [2015-05-24 06:21 UTC] yohgaki@php.net
Patch was there, but there are some objections for lazy destroy. I think there is no objection now.

This bug is related to 
https://bugs.php.net/bug.php?id=69127
 [2015-12-29 00:30 UTC] yohgaki@php.net
-Status: Assigned +Status: Analyzed
 [2016-08-28 21:12 UTC] yohgaki@php.net
-Summary: session_regenerate_id() do not delete old session data. +Summary: session_regenerate_id() does not delete old session data.
 [2016-10-17 06:38 UTC] yohgaki@php.net
-Summary: session_regenerate_id() does not delete old session data. +Summary: session_regenerate_id() should not delete old session data immediately.
 [2016-10-17 06:38 UTC] yohgaki@php.net
Use proper title. Original title meant "no deletion by __default__".
Last RFC is declined, but we _MUST_ fix this issue.

session_regenerate_id() depreciation is a option. We shouldn't keep security related broken function.
 [2017-10-24 03:06 UTC] kalle@php.net
-Status: Analyzed +Status: Assigned
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC