PHP :: Bug #70871 :: session_regenerate_id(): Failed to create session ID: user (path: )

Bug #70871

session_regenerate_id(): Failed to create session ID: user (path: )

Submitted:

2015-11-06 11:36 UTC

Modified:

2015-11-13 21:51 UTC

Votes:	5
Avg. Score:	4.0 ± 0.9
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	1 (33.3%)

From:

jacky at xsteach dot com

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

7.0.0RC6

OS:

mac os x

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2015-11-06 11:36 UTC] jacky at xsteach dot com

Description:
------------
before php7RC3,the test script is working well,but a warning is throw after php7RC2.

Test script:
---------------
session_start();
session_destroy();
session_regenerate_id(true);

Expected result:
----------------
output nothing

Actual result:
--------------
Warning: session_regenerate_id(): Cannot regenerate session id

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-11-06 14:42 UTC] laruence@php.net

-Assigned To: +Assigned To: yohgaki

[2015-11-06 14:42 UTC] laruence@php.net

this should be a intentional change, https://github.com/php/php-src/commit/e93042998af1fea9204e17bc5cdd13c702156d5b

@yohgaki ?

[2015-11-08 07:24 UTC] bellosthomas at gmail dot com

Similar problem here
I have a custom session handler storing session in memcache
However, when I invoke session_regenerate_id(true), I get a fatal error
Catchable fatal error: session_regenerate_id(): Failed to create session ID: user

[2015-11-10 01:55 UTC] yohgaki@php.net

@laruence

Yes. Session becames inactive by calling session_destroy(). Therefore, session_regenerate_id() complains about bogus call as it requires active session to be useful.

[2015-11-10 18:10 UTC] narf at devilix dot net

With a custom session handler, it also spits out the same error message *immediately after* a session_start() call - at that point, the session is not inactive.

Also, this is a breaking change and should not happen at the RC stage.

[2015-11-12 02:19 UTC] yohgaki@php.net

@narf

session_start() should never raise error like

Warning: session_regenerate_id(): Cannot regenerate session id - session is not active in - on line 4

If you think it's not your save handler's problem, please file a new bug report with your save handler code. 

Recent (5.6 and up, IIRC) has stricter specification for save handlers. Refer to 
https://bugs.php.net/bug.php?id=70520
even example save handler in the manual was wrong.

[2015-11-12 18:00 UTC] narf at devilix dot net

@yasuo

I didn't say that session_start() issues that message.

What I'm saying is that calling session_regenerate_id() *immediately after* session_start(), would issue this:

session_regenerate_id(): Failed to create session ID: user (path: <value of session.save_path>)

And I'm kind of proxy-ing a bug report that was submitted to me here: https://github.com/bcit-ci/CodeIgniter/issues/4230

[2015-11-13 00:39 UTC] yohgaki@php.net

@narf

OK. Could tell me where I can look at the save handler code?

[2015-11-13 00:44 UTC] yohgaki@php.net

@narf

Is this the save handler?

https://github.com/bcit-ci/CodeIgniter/blob/develop/system/libraries/Session/drivers/Session_redis_driver.php#L162

I haven't looked into detail and don't understand the handler fully, but this function may be the cause of bug. 

Returning FALSE on read will raise the error.

[2015-11-13 01:20 UTC] yohgaki@php.net

Oops, you are getting other kind of error.

session_regenerate_id(): Failed to create session ID: user (path: <value of session.save_path>)

This error is raised by multiple reasons. The error messages are better to modify so that users can distinguish the cause. Anyway, it may be raised if

 - new session ID creation is failed. (Very unlikely)
 - opening save handler is failed.
 - session ID collision is detected and failed. (Very unlikely)
 - session read with new session ID is failed.

I'll modify error messages to distinguish the cause of your problem.

[2015-11-13 05:23 UTC] bellosthomas at gmail dot com

I was also getting a fatal error (check comment above), with a custom session handler. After yohgaki's comment about the return value of the read() method, which needs to return a string, I checked my session handler and I saw I was returning boolean false in some cases. Casting the return value to string, solved it.

[2015-11-13 10:18 UTC] narf at devilix dot net

@yasuo

Yep, that's the session handler in question.
I guess I'll have to wait for your error messages patch ...

[2015-11-13 11:42 UTC] ab@php.net

Please check this error log records:

[Fri Nov 13 01:59:48.334695 2015] [:error] [pid 22639] [client x.x.x.x:10706] PHP Warning:  session_start(): open(/var/lib/php/sessions/sess_ngds5c5qpok0jm3lcjvmtslqh7, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 16
[Fri Nov 13 01:59:48.334860 2015] [:error] [pid 22639] [client x.x.x.x:10706] PHP Warning:  session_regenerate_id(): open(/var/lib/php/sessions/sess_mfmb9rq8qoofsbcigs8ckdhsa4, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 23
[Fri Nov 13 01:59:48.334883 2015] [:error] [pid 22639] [client x.x.x.x:10706] PHP Catchable fatal error:  session_regenerate_id(): Failed to create session ID: files (path: /var/lib/php/sessions) in /some/path/to/file.php on line 23
[Fri Nov 13 01:59:49.738997 2015] [:error] [pid 22638] [client x.x.x.x:10707] PHP Warning:  session_start(): open(/var/lib/php/sessions/sess_ngds5c5qpok0jm3lcjvmtslqh7, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 16
[Fri Nov 13 01:59:49.739178 2015] [:error] [pid 22638] [client x.x.x.x:10707] PHP Warning:  session_regenerate_id(): open(/var/lib/php/sessions/sess_u9aqmuc73nub1g09vkisojjk11, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 23
[Fri Nov 13 01:59:49.739198 2015] [:error] [pid 22638] [client x.x.x.x:10707] PHP Catchable fatal error:  session_regenerate_id(): Failed to create session ID: files (path: /var/lib/php/sessions) in /some/path/to/file.php on line 23
[Fri Nov 13 01:59:50.534468 2015] [:error] [pid 22637] [client x.x.x.x:10710] PHP Warning:  session_start(): open(/var/lib/php/sessions/sess_ngds5c5qpok0jm3lcjvmtslqh7, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 16
[Fri Nov 13 01:59:50.534644 2015] [:error] [pid 22637] [client x.x.x.x:10710] PHP Warning:  session_regenerate_id(): open(/var/lib/php/sessions/sess_aparjtipjng2nnn8sdm8q9drn4, O_RDWR) failed: Permission denied (13) in /some/path/to/file.php on line 23
[Fri Nov 13 01:59:50.534663 2015] [:error] [pid 22637] [client x.x.x.x:10710] PHP Catchable fatal error:  session_regenerate_id(): Failed to create session ID: files (path: /var/lib/php/sessions) in /some/path/to/file.php on line 23

So in my case, I can reproduce it making /var/lib/php/sessions/ not writable to PHP process. This can explain the warning in session_regenerate_id() immediately after session_start() - namely session_start() is failed.

 Now, the original case of session_destroy()+session_regenerate_id() looks like logic. Same as before - no session, no regenerate id. But with a custom session handler, it can be much trickier to figure out, depends on its error reporting. All in all, it still doesn't look. Could we please take a look at the error logs for such cases (possibly with max enabled error reporting)?

In general yes, some finer grained error messages can help on the user side.

Thanks.

[2015-11-13 21:50 UTC] yohgaki@php.net

I've committed error message patch. Latest code will produce distinguishable error messages. Anyway, original bug report is not a bug. I close this one. If you find any new issue, please open new or use appropriate bug report.

[2015-11-13 21:51 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 10:01:28 2024 UTC