go to bug id or search bugs for
If a reference to $_SESSION is assigned to another variable, it is lost after a call to session_regenerate_id(). It is not lost in previous PHP versions, and Symfony's HttpFoundation actually relies on this behaviour.
PHP 7.0.0-dev (cli) (built: Jul 7 2015 22:52:27) (DEBUG)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies
$session = &$_SESSION;
$session['test'] = 1;
$session['test'] = 2;
// dumps false, should be true
var_dump($session['test'] === $_SESSION['test']);
Add a Patch
Add a Pull Request
This is BC break that can be easily reproduced: http://3v4l.org/PRhdj
It is a BC break, but I'm not sure if the behavior before was correct.
References should normally be broken up before deletion…
And session_regenerate_id() is exactly that: delete old session, create new session.
Bob: first of all, deleting the old session won't happen by default, so your definition is a bit misleading, and also, from the "new" session will hold the same data only under a different session id, so I think not many people would expect that the $_SESSION superglobal will be recreated hence losing the reference.
if you add this to the fact that this is an undocumented behavior change I think we should consider this a bug and fix it.
+1, "deleting the session", if ever should mean on the backend under the old key; the data will stay the same and a reference to it should be kept intact.
I'd like mark this as won't fix.. the new behaviors seems more reasonable
It may seem more reasonable from an implementors point of view, because you're looking at the C codes, but definitely does not seem reasonable for an appointment developer.
This breaks userland in an very unintuitive way.
Of course I meant application developer and s/codes/code/
I guess we should revert the change to PHP5 behavior. Please do a proof read of
and also bug #65746. This behavior change is a subset of the mentioned RFC which had major concerns and was declined. Until a proper solution is suggested and accepted, there is no reason to go for BC breaks.
So what should I do? Restore old behavior or not?
Me and Anatol, talked it over and we both believe that the old behavior should be restored as to how it was in PHP5. It creates a less WTF factor when upgrading too, even though the new behavior is makes more sense.
So please go ahead and commit a fix to revert the behavior back before Beta 2
what is the status of this? Obviously too late for beta2 (
Yasuo, ping. Probably still should be fixed till RC1.
Sorry, I wasn't paying attention to this. I'll fix this soon.
Automatic comment on behalf of yohgaki
Log: Fix #70013: Reference to $_SESSION is lost after a call to session_regenerate_id()
Thanks for the fix, Yasuo. I've added it to the NEWS.
Related To: Bug #70584