Edit report at https://bugs.php.net/bug.php?id=61470&edit=1
ID: 61470 Comment by: chris at netshake dot de Reported by: david at grudl dot com Summary: session_regenerate_id() do not create session file Status: Assigned Type: Bug Package: Session related Operating System: ANY PHP Version: 5.4.0 Assigned To: yohgaki Block user comment: N Private report: N New Comment: This Workaround works well for me. // Session is already started session_regenerate_id( true ); // delete old session session_write_close(); // i'm not sure about that but it's required. session_start(); // reinitialize session with newly created id from 'session_regenerate_id()' I hope that future PHP-Versions will not make problems with this. Greets Chris Previous Comments: ------------------------------------------------------------------------ [2012-03-28 08:02:46] yohg...@php.net I have to deal with session ID collision detection in session_regenerate_id() for strict session. I think I found what's wrong. Assigned to myself. ------------------------------------------------------------------------ [2012-03-27 16:23:37] david at grudl dot com Usage of echo does not matter. ------------------------------------------------------------------------ [2012-03-25 21:00:29] riptide dot tempora at opinehub dot com How much of the bug is caused by having an echo before session_regenerate_id() which tries to send a new cookie to the end-user? ------------------------------------------------------------------------ [2012-03-22 14:27:49] david at grudl dot com Because this bug is very insidious and difficult to discover, I offer workaround https://github.com/nette/nette/commit/a4e4e80562cfb45d11d80e05d254fc207c456308#L0R241 $_SESSION is backed up before session_start() and restored to preserve the references. ------------------------------------------------------------------------ [2012-03-22 04:48:03] david at grudl dot com Description: ------------ session_start() creates and locks session file, but session_regenerate_id() doesn't do it. After session_regenerate_id() session is started with new ID, but the file is not created immediately (is created when session is closed) and therefore is not locked. I think this causes bugs like #49462. Test script: --------------- $path = ini_get('session.save_path') . '/sess_'; session_start(); // starts session & creates and locks file echo is_file($path . session_id()); // -> TRUE session_regenerate_id(); // starts new session, but file is not create! echo is_file($path . session_id()); // -> FALSE ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=61470&edit=1
