php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70013 Reference to $_SESSION is lost after a call to session_regenerate_id()
Submitted: 2015-07-07 23:44 UTC Modified: 2015-09-15 06:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jakub at zalas dot pl Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 7.0Git-2015-07-07 (Git) OS: Debian
Private report: No CVE-ID:
 [2015-07-07 23:44 UTC] jakub at zalas dot pl
Description:
------------
If a reference to $_SESSION is assigned to another variable, it is lost after a call to session_regenerate_id(). It is not lost in previous PHP versions, and Symfony's HttpFoundation actually relies on this behaviour.



php -v
PHP 7.0.0-dev (cli) (built: Jul  7 2015 22:52:27) (DEBUG)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

Test script:
---------------
session_start();

$session = &$_SESSION;

$session['test'] = 1;
session_regenerate_id(false);
$session['test'] = 2;

// dumps false, should be true
var_dump($session['test'] === $_SESSION['test']);

Expected result:
----------------
bool(true)

Actual result:
--------------
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-08 07:06 UTC] stloyd at o2 dot pl
This is BC break that can be easily reproduced: http://3v4l.org/PRhdj
 [2015-07-08 15:10 UTC] bwoebi@php.net
It is a BC break, but I'm not sure if the behavior before was correct.

References should normally be broken up before deletion…
And session_regenerate_id() is exactly that: delete old session, create new session.
 [2015-07-09 09:16 UTC] tyrael@php.net
Bob: first of all, deleting the old session won't happen by default, so your definition is a bit misleading, and also, from the "new" session will hold the same data only under a different session id, so I think not many people would expect that the $_SESSION superglobal will be recreated hence losing the reference.
if you add this to the fact that this is an undocumented behavior change I think we should consider this a bug and fix it.
 [2015-07-10 09:06 UTC] mike@php.net
+1, "deleting the session", if ever should mean on the backend under the old key; the data will stay the same and a reference to it should be kept intact.
 [2015-07-10 14:53 UTC] laruence@php.net
I'd like mark this as won't fix.. the new behaviors seems more reasonable
 [2015-07-11 06:38 UTC] mike@php.net
It may seem more reasonable from an implementors point of view, because you're looking at the C codes, but definitely does not seem reasonable for an appointment developer.

This breaks userland in an very unintuitive way.
 [2015-07-11 06:39 UTC] mike@php.net
Autocorrection FTW.

Of course I meant application developer and s/codes/code/
 [2015-07-11 20:44 UTC] ab@php.net
Hi,

I guess we should revert the change to PHP5 behavior. Please do a proof read of

https://wiki.php.net/rfc/session-lock-ini
http://grokbase.com/t/php/php-internals/142dbaan9h/vote-rfc-introduce-session-start-options-read-only-unsafe-lock-lazy-write-and-lazy-destroy

and also bug #65746. This behavior change is a subset of the mentioned RFC which had major concerns and was declined. Until a proper solution is suggested and accepted, there is no reason to go for BC breaks.

Thanks.
 [2015-07-13 02:17 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-07-13 02:21 UTC] yohgaki@php.net
So what should I do? Restore old behavior or not?
 [2015-07-13 16:09 UTC] kalle@php.net
Yasuo,

Me and Anatol, talked it over and we both believe that the old behavior should be restored as to how it was in PHP5. It creates a less WTF factor when upgrading too, even though the new behavior is makes more sense.

So please go ahead and commit a fix to revert the behavior back before Beta 2
 [2015-07-21 09:47 UTC] ab@php.net
Hi Yasuo,

what is the status of this? Obviously too late for beta2 (

Thanks.

Anatol
 [2015-08-08 22:15 UTC] ab@php.net
Yasuo, ping. Probably still should be fixed till RC1.

Thanks.
 [2015-09-06 05:53 UTC] yohgaki@php.net
Sorry, I wasn't paying attention to this. I'll fix this soon.
 [2015-09-06 18:58 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f34b858ed018d4c33bc0c3f03acc0bf143d35534
Log: Fix #70013: Reference to $_SESSION is lost after a call to session_regenerate_id()
 [2015-09-06 18:58 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2015-09-15 06:22 UTC] ab@php.net
Thanks for the fix, Yasuo. I've added it to the NEWS.

Cheers.
 [2015-09-15 12:13 UTC] ab@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f34b858ed018d4c33bc0c3f03acc0bf143d35534
Log: Fix #70013: Reference to $_SESSION is lost after a call to session_regenerate_id()
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f34b858ed018d4c33bc0c3f03acc0bf143d35534
Log: Fix #70013: Reference to $_SESSION is lost after a call to session_regenerate_id()
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC