ID: 24096 Updated by: [EMAIL PROTECTED] Reported By: pablo_sole at myp dot net dot ar -Status: Bogus +Status: Open Bug Type: Feature/Change Request Operating System: linux rh8 apache 1.3.27 PHP Version: 4.3.2 New Comment:
-> Open Previous Comments: ------------------------------------------------------------------------ [2003-06-09 23:10:25] [EMAIL PROTECTED] It is debatable whether the function should destroy the old session. The current behaviour is useful under a number of circumstances. Auto-destruction could be added as a new feature though. -> Feature/Change request. ------------------------------------------------------------------------ [2003-06-09 09:42:08] pablo_sole at myp dot net dot ar testing the new session_regenerate_id i see that after upgrade de SID, not unlink the old session file so, when you regenerate many times the session could be used to make a DoS, or at least is not what it's expected from the function. Checking the source code, the routine free the SID and assign the new, but not unlink the old file (just like in the php_session_destroy routine). A workaround could be unlink manualy on the fly, or patch the session.c file. Sorry my poor english, but is not my native language. Any question, mail me. pablo. PD: I not have any "specific setup" or extra modules compiled in, and for that reason i don't put it here. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24096&edit=1
