Hello, It's interesting to me that you request this, since other users have reported the undesirable behavior of having session data associated with one session ID persist after calling regenerateId(). Would you please create a JIRA issue for this so we can track the request?
http://framework.zend.com/issues/secure/CreateIssue!default.jspa Thanks for the report! Best regards, Darby KyleMac wrote: > I think that regenerageId() should take a parameter to set delete_old_session > to false in session_regenerate_id(). I've already changed my code to do > this. > > Why do I think this should be done? Well, session_regenerate_id(true) > deletes the old session ID, so if a user fires off requests to a site in > quick succession, it is quite possible for their browser to write the new > cookies too slowly or in the wrong order and thus their session is lost. > > It is quite easy to recreate this situation with some simple code and then > just hammer (or old down) F5. You have to pick up some speed to recreate the > issue but it does occur randomly at normal speeds on a proper site (I think > maybe the browser is slowed down much further by images or javascript or > something).
