PHP :: Bug #71472 :: session_regenerate_id malfunctions with certain session handlers

Bug #71472	session_regenerate_id malfunctions with certain session handlers
Submitted:	2016-01-28 03:03 UTC	Modified:	2016-01-28 03:49 UTC
From:	yohgaki@php.net	Assigned:	yohgaki (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.2	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-01-28 03:03 UTC] yohgaki@php.net

Description:
------------
session_regenerate_id() should open save handler before calling create_sid.

Patches

Pull Requests

Pull requests:

session_regenerate_id malfunctions with certain session handlers (php-src/1739)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-01-28 03:48 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2016-01-28 03:49 UTC] yohgaki@php.net

Description from the PR

The current order of session_regenerate_id seems to be:

    PS(mod)->s_close
    PS(mod)-> s_create_sid
    PS(mod)->s_open

This causes PS_CREATE_SID_FUNC to receive NULL data and it completely circumvents the original intention of PS_CREATE_SID_FUNC. (for example mod_files.c skips collision checks if data is NULL).

This doesn't seem to cause visible problems with built-in session handlers and not sure how to test this either.

t.php

<?php
ob_start();
ini_set ('session.save_path', '/tmp');

var_dump(session_start());
var_dump(session_regenerate_id(true));
?>

Relevant run on lldb:

lldb --file php -- t.php
(lldb) target create "/opt/php7/bin/php"
Current executable set to '/opt/php7/bin/php' (x86_64).
(lldb) settings set -- target.run-args  "t.php"
(lldb) breakpoint set --file mod_files.c --line 677
Breakpoint 1: where = php`ps_create_sid_files + 100 at mod_files.c:677, address = 0x00000001001cdc34
(lldb) run
Process 95005 launched: '/opt/php7/bin/php' (x86_64)
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p data
(ps_files *) $0 = 0x00000001020810f0
(lldb) p *data
(ps_files) $1 = (lastkey = 0x0000000000000000, basedir = "/tmp", basedir_len = 4, dirdepth = 0, st_size = 0, filemode = 384, fd = -1)
(lldb) cont
Process 95005 resuming
Process 95005 stopped
* thread #1: tid = 0x5b95ab, 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001001cdc34 php`ps_create_sid_files(mod_data=0x0000000100d5bfe8) + 100 at mod_files.c:677
   674          }
   675          /* Check collision */
   676          /* FIXME: mod_data(data) should not be NULL (User handler could be NULL) */
-> 677          if (data && ps_files_key_exists(data, ZSTR_VAL(sid)) == SUCCESS) {
   678              if (

sid) {
   679                  zend_string_release(sid);
   680                  sid = NULL;
(lldb) p *data
error: Couldn't apply expression side effects : Couldn't dematerialize a result variable: couldn't read its memory
(lldb) p data
(ps_files *) $3 = 0x0000000000000000

	@mkoppanen 	Session regenerate id seems to malfunction with 3rd party session han… …

[2016-01-28 04:31 UTC] yohgaki@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

[2016-01-28 04:31 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2016-04-18 09:29 UTC] bwoebi@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

[2016-07-20 11:33 UTC] davey@php.net

Automatic comment on behalf of mikko@kuut.io
Revision: http://git.php.net/?p=php-src.git;a=commit;h=46d4a371054f43fe8aeca14b83ba722adc84ac10
Log: Session regenerate id seems to malfunction with 3rd party session handlers Fixed bug #71472 session_regenerate_id malfunctions with certain session handlers

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 23:01:31 2025 UTC