I just realised a better fix for this. This seems (?) to do it:
if (isset($_REQUEST[session_name()])) {
session_regenerate_id(true);
}
Or with $_COOKIE if use only cookies is on. Basically, the todo under
regenerateId() seems to be exactly this.
KyleMac wrote:
>
> I think that regenerageId() should take a parameter to set
> delete_old_session to false in session_regenerate_id(). I've already
> changed my code to do this.
>
> Why do I think this should be done? Well, session_regenerate_id(true)
> deletes the old session ID, so if a user fires off requests to a site in
> quick succession, it is quite possible for their browser to write the new
> cookies too slowly or in the wrong order and thus their session is lost.
>
> It is quite easy to recreate this situation with some simple code and then
> just hammer (or old down) F5. You have to pick up some speed to recreate
> the issue but it does occur randomly at normal speeds on a proper site (I
> think maybe the browser is slowed down much further by images or
> javascript or something).
>
--
View this message in context:
http://www.nabble.com/Implement-Zend_Session%3A%3AregenerateId%28false%29--tf4681793s16154.html#a13384561
Sent from the Zend Framework mailing list archive at Nabble.com.
