Patch session-regenerate-id.xml.diff for Session related Bug #74231
Patch version 2017-03-10 00:42 UTC
Return to Bug #74231 |
Download this patch
Patch Revisions:
Developer: signe@cothlamadh.net
Index: en/reference/session/functions/session-regenerate-id.xml
===================================================================
--- en/reference/session/functions/session-regenerate-id.xml (revision 342067)
+++ en/reference/session/functions/session-regenerate-id.xml (working copy)
@@ -170,24 +170,31 @@
function my_session_start() {
session_start();
if (isset($_SESSION['destroyed'])) {
- if ($_SESSION['destroyed'] < time()-300) {
- // Should not happen usually. This could be attack or due to unstable network.
- // Remove all authentication status of this users session.
- remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
- throw(new DestroyedSessionAccessException);
- }
- if (isset($_SESSION['new_session_id'])) {
- // Not fully expired yet. Could be lost cookie by unstable network.
- // Try again to set proper session ID cookie.
- // NOTE: Do not try to set session ID again if you would like to remove
- // authentication flag.
- session_commit();
- session_id($_SESSION['new_session_id']);
- // New session ID should exist
- session_start();
- return;
- }
- }
+ if ($_SESSION['destroyed'] < time()-300) {
+ // Should not happen usually. This could be attack or due to unstable network.
+ // Remove all authentication status of this users session.
+ remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
+ throw(new DestroyedSessionAccessException);
+ }
+
+ if (isset($_SESSION['new_session_id'])) {
+ // Not fully expired yet. Could be lost cookie by unstable network.
+ // Try again to set proper session ID cookie.
+ // NOTE: Do not try to set session ID again if you would like to remove
+ // authentication flag.
+ session_commit();
+
+ // use_strict_mode must be disabled in order to set the
+ // new session ID and then reenabled afterward
+ ini_set('session.use_strict_mode', 0);
+ session_id($_SESSION['new_session_id']);
+ ini_set('session.use_strict_mode', 1);
+
+ // New session ID should exist
+ session_start();
+ return;
+ }
+ }
}
function my_session_regenerate_id() {
@@ -195,22 +202,30 @@
// when session ID is not set due to unstable network.
$new_session_id = session_create_id();
$_SESSION['new_session_id'] = $new_session_id;
-
+
// Set destroy timestamp
$_SESSION['destroyed'] = time();
-
- // Write and close current session;
+
+ // Write current session;
session_commit();
- // Start session with new session ID
- session_id($new_session_id);
+ // use_strict_mode must be disabled in order to set the
+ // new session ID and then reenabled afterward
ini_set('session.use_strict_mode', 0);
- session_start();
+ session_id($new_session_id);
ini_set('session.use_strict_mode', 1);
-
+
+ // Temporarily store the old session information
+ $tempSession = $_SESSION;
+
+ // Start session with new session ID
+ session_start();
+
+ // Restore the old session information into the new session
+ $_SESSION = $tempSession;
+
// New session does not need them
- unset($_SESSION['destroyed']);
- unset($_SESSION['new_session_id']);
+ unset($_SESSION['destroyed'], $_SESSION['new_session_id'], $tempSession);
}
?>
]]>
|
Copyright © 2001-2024 The PHP Group