php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67694 Regression in session_regenerate_id()
Submitted: 2014-07-28 09:06 UTC Modified: 2014-09-01 07:33 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: atze at fem dot tu-ilmenau dot de Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.6.0RC2 OS: GNU/Linux i386
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: atze at fem dot tu-ilmenau dot de
New email:
PHP Version: OS:

 

 [2014-07-28 09:06 UTC] atze at fem dot tu-ilmenau dot de
Description:
------------
session_regenerate_id() does still regenerate the session id, it does still keep the session data, but the session data is not stored (e.g. in session file). The session data is available in the running PHP process after session_regenerate_id() is called, but it disappears after that. So the next access is processed with an empty session.

Related settings in php.ini:

session.save_handler = files
session.save_path = "/var/lib/php5" 
(ownership and ACLs are fine)
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain = <FQDN of server>
session.cookie_httponly = 0
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

The code in session.c looks weird, like it is supposed to delete the old session and then create a new one, nothing that looks like "copy the data". Maybe $_SESSION is just by accident still in memory after calling this function, but the documentation clearly states that the session data is preserved by this function call.

The relation to bug #61470 is that the file is not created on the end of the PHP processing - it is created never at all.

Test script:
---------------
<?php

session_start();
$session1 = session_id();
if (!isset($_SESSION['init'])) { $_SESSION['init'] = date('Y-m-d H:i:s'); }

$init1 = @$_SESSION['init'].'<br/>';
session_regenerate_id(false);

echo $init1;
echo @$_SESSION['init'].'<br/>';
echo 'session id1 ' . $session1;
echo '<br />session id2 ' . session_id();
?>


Expected result:
----------------
Result on PHP 5.4.x:

<Timestamp of session start, does not change when pressing F5>
<session name (== session name 2 of last access>
<session name 2 (must be different)>

Actual result:
--------------
Result on PHP 5.6RC2:

<Current timestamp>
<session name (== session name 2 of last access>
<session name 2 (must be different)>

Patches

write-short-circuit-fix (last revision 2014-08-23 14:18 UTC by tyrael@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-22 09:09 UTC] atze at fem dot tu-ilmenau dot de
This bug is still present in RC4 on multiple OS
 [2014-08-22 23:56 UTC] tyrael@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: yohgaki
 [2014-08-22 23:56 UTC] tyrael@php.net
sorry for not spotting this sooner (I remembered that I checked this and couldn't repro, but maybe I just remember wrong).
I was able to reproduce the issue with RC4, from a quick search, it seems that this was introduced with
http://git.php.net/?p=php-src.git;a=commit;h=554021d21e1b2517313a377676260c188152c2eb
http://bugs.php.net/17860
Assigning this Yasuo, but others are also welcome to look into this.
 [2014-08-23 00:47 UTC] datibbaw@php.net
I've tried to write a test case against this, but unfortunately it passes on 5.6; perhaps somebody can improve it?

https://gist.github.com/datibbaw/6fd22f567f1ef2436ddb
 [2014-08-23 01:22 UTC] datibbaw@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ce9bdae33f101ff85c08d32ce5c2c6502a451d62
Log: Fixed #67694: Regression in session_regenerate_id()
 [2014-08-23 01:22 UTC] datibbaw@php.net
-Status: Verified +Status: Closed
 [2014-08-23 07:15 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: write-short-circuit-fix
Revision:   1408778157
URL:        https://bugs.php.net/patch-display.php?bug=67694&patch=write-short-circuit-fix&revision=1408778157
 [2014-08-23 07:19 UTC] tyrael@php.net
ignore the first patch, I screwed up.
 [2014-08-23 14:18 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: write-short-circuit-fix
Revision:   1408803509
URL:        https://bugs.php.net/patch-display.php?bug=67694&patch=write-short-circuit-fix&revision=1408803509
 [2014-08-23 14:22 UTC] tyrael@php.net
duh, dattibaw already fixed it, should have refreshed my browser since commenting yesterday. :/
 [2014-08-24 11:08 UTC] atze at fem dot tu-ilmenau dot de
short testing yields this :(

[pid 11627] open("/var/lib/php5/sess_0q1md3dakrcv8g2cu083ef6835", O_RDWR|O_CREAT|O_LARGEFILE|O_NOFOLLOW, 0600) = 6
[pid 11627] fstat64(6, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
[pid 11627] getuid32()                  = 33
[pid 11627] flock(6, LOCK_EX)           = 0
[pid 11627] fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
[pid 11627] fstat64(6, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
[pid 11627] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x8771af7} ---


But maybe I broke the build. Will test again, but that will take 2 days.
 [2014-08-24 16:03 UTC] atze at fem dot tu-ilmenau dot de
This is the backtrace... can anyone reproduce this?

Program received signal SIGSEGV, Segmentation fault.
php_sprintf (s=0x8771af7 "%s|%s", format=0xb74c9830 "1crisadvoi8p7pv7r833mn2qr3") at /usr/src/php/php5-5.6.0RC4/main/php_sprintf.c:37
37        s[0] = '\0';
(gdb) bt
#0  php_sprintf (s=0x8771af7 "%s|%s", format=0xb74c9830 "1crisadvoi8p7pv7r833mn2qr3") at /usr/src/php/php5-5.6.0RC4/main/php_sprintf.c:37
#1  0x081bfebf in php_session_initialize () at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:522
#2  0x081c0730 in php_session_start () at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:1618
#3  0x081c1619 in zif_session_start (ht=0, return_value=0xb74c948c, return_value_ptr=0xb74ae088, this_ptr=0x0, return_value_used=0)
    at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:2098
#4  0x083decb0 in execute_internal (execute_data_ptr=0xb74ae094, fci=0x0, return_value_used=0) at /usr/src/php/php5-5.6.0RC4/Zend/zend_execute.c:1512
 [2014-08-24 16:09 UTC] atze at fem dot tu-ilmenau dot de
Oh never mind, I also screwed up :)
 [2014-08-27 03:17 UTC] tyrael@php.net
Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e60d39581a8fb7e0d8cabd5c2d44d35e01d2969c
Log: Fixed #67694: Regression in session_regenerate_id()
 [2014-09-01 07:33 UTC] yohgaki@php.net
I didn't notice the notification mails, sorry.
If there is any leftover, please let me know.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 10:01:28 2024 UTC