From: mjs15451 at hotmail dot com Operating system: Linux PHP version: 5.0.4 PHP Bug Type: Session related Bug description: sess_* owner & session_regenerate_id
Description: ------------ I'm trying to build a secure application which can run in safe mode and prevent session fixation and hijacking. I would like to regenerate the session id on every request and delete the old sess_* file immediately after the new one is created. If I cannot delete it immediately, I have to rely on garbage collection which won't delete any files after the session expiration time of 24 minutes or whatever you set it to. As a result, this generates a lot of session files which takes up unnecessary space on the hard drive. The problem with this scenario is in safe mode I can't unlink the old session file because it's owned by the server process which is obviously not the same uid/gid as the php file. I can't use session_destroy as it just destroys the current session and when you start the session again, session_start just uses the same file name again. Would it be possible to give session_start the ability to inherit the same ownership of the file in which it is being called and apply that ownership to the sess_* file? Or perhaps would it be possible to have a flag for session_regenerate_id to unlink the old file immediately instead of relying on garbage collection? I'd rather not have to use session_set_save_handler if that's possible as the built-in functions are faster and I like speed. Reproduce code: --------------- session_start(); $oldSessionID = session_id(); /* new argument for session_regenerate_id could delete old sess_* file immediately? */ session_regenerate_id(); /* **OR** The sess_* file that was created with session_start(); could have the same ownership as the template that called it so that one could unlink it in safe mode? */ unlink(session_save_path(). "sess_" . $oldSessionID); Expected result: ---------------- Either session_regenerate_id() deletes the old session file or the sess_* file has the same ownership (and not the server process ownership it currently has) to make it possible to unlink in safe mode. Actual result: -------------- It's not possible to unlink old sess_* file in safe mode and/or session_regenerate_id() doesn't have the ability to delete the old session file. -- Edit bug report at http://bugs.php.net/?id=32631&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32631&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32631&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32631&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=32631&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=32631&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32631&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32631&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32631&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32631&r=support Expected behavior: http://bugs.php.net/fix.php?id=32631&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32631&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32631&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=32631&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32631&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=32631&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32631&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32631&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32631&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32631&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32631&r=mysqlcfg
