php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #74231
Patch session-regenerate-id.xml.diff revision 2017-03-10 00:42 UTC by signe at cothlamadh dot net

Patch session-regenerate-id.xml.diff for Session related Bug #74231

Patch version 2017-03-10 00:42 UTC

Return to Bug #74231 | Download this patch
Patch Revisions:

Developer: signe@cothlamadh.net

Index: en/reference/session/functions/session-regenerate-id.xml
===================================================================
--- en/reference/session/functions/session-regenerate-id.xml	(revision 342067)
+++ en/reference/session/functions/session-regenerate-id.xml	(working copy)
@@ -170,24 +170,31 @@
 function my_session_start() {
     session_start();
     if (isset($_SESSION['destroyed'])) {
-       if ($_SESSION['destroyed'] < time()-300) {
-           // Should not happen usually. This could be attack or due to unstable network.
-           // Remove all authentication status of this users session.
-           remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
-           throw(new DestroyedSessionAccessException);
-       }
-       if (isset($_SESSION['new_session_id'])) {
-           // Not fully expired yet. Could be lost cookie by unstable network.
-           // Try again to set proper session ID cookie.
-           // NOTE: Do not try to set session ID again if you would like to remove
-           // authentication flag.
-           session_commit();
-           session_id($_SESSION['new_session_id']);
-           // New session ID should exist
-           session_start();
-           return;
-       }
-   }
+        if ($_SESSION['destroyed'] < time()-300) {
+            // Should not happen usually. This could be attack or due to unstable network.
+            // Remove all authentication status of this users session.
+            remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
+            throw(new DestroyedSessionAccessException);
+        }
+
+        if (isset($_SESSION['new_session_id'])) {
+            // Not fully expired yet. Could be lost cookie by unstable network.
+            // Try again to set proper session ID cookie.
+            // NOTE: Do not try to set session ID again if you would like to remove
+            // authentication flag.
+            session_commit();
+
+            // use_strict_mode must be disabled in order to set the 
+            // new session ID and then reenabled afterward
+            ini_set('session.use_strict_mode', 0);
+            session_id($_SESSION['new_session_id']);
+            ini_set('session.use_strict_mode', 1);
+
+            // New session ID should exist
+            session_start();
+            return;
+        }
+    }
 }
 
 function my_session_regenerate_id() {
@@ -195,22 +202,30 @@
     // when session ID is not set due to unstable network.
     $new_session_id = session_create_id();
     $_SESSION['new_session_id'] = $new_session_id;
-    
+
     // Set destroy timestamp
     $_SESSION['destroyed'] = time();
-    
-    // Write and close current session;
+
+    // Write current session;
     session_commit();
 
-    // Start session with new session ID
-    session_id($new_session_id);
+    // use_strict_mode must be disabled in order to set the 
+    // new session ID and then reenabled afterward
     ini_set('session.use_strict_mode', 0);
-    session_start();
+    session_id($new_session_id);
     ini_set('session.use_strict_mode', 1);
-    
+
+    // Temporarily store the old session information
+    $tempSession = $_SESSION;
+
+    // Start session with new session ID
+    session_start();
+
+    // Restore the old session information into the new session
+    $_SESSION = $tempSession;
+
     // New session does not need them
-    unset($_SESSION['destroyed']);
-    unset($_SESSION['new_session_id']);
+    unset($_SESSION['destroyed'], $_SESSION['new_session_id'], $tempSession);
 }
 ?>
 ]]>
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 04:01:26 2019 UTC