ID: 24096 Comment by: mjs15451 at hotmail dot com Reported By: pablo_sole at myp dot net dot ar Status: Open Bug Type: Feature/Change Request Operating System: linux rh8 apache 1.3.27 PHP Version: 4.3.2 New Comment:
I would definitely be for auto-destruction of the old session file as I have come upon this problem as well and I have made a similar enhancement suggestion under bug: http://bugs.php.net/bug.php?id=32631 Previous Comments: ------------------------------------------------------------------------ [2003-06-10 23:50:40] pablo_sole at myp dot net dot ar You're right, in my own case i use this function to do a per-page session (following OWASP's "Guide to Build Secure Web Applications" or something like that), so what i'm doing is to refresh the id every time a user do a request, but without lost the "statefulness". So, if you think this need to be supported by the php sessions code, was an honor help you, if not... i already do a little patch to support it on my own server. pablo. ------------------------------------------------------------------------ [2003-06-09 23:11:00] [EMAIL PROTECTED] -> Open ------------------------------------------------------------------------ [2003-06-09 23:10:25] [EMAIL PROTECTED] It is debatable whether the function should destroy the old session. The current behaviour is useful under a number of circumstances. Auto-destruction could be added as a new feature though. -> Feature/Change request. ------------------------------------------------------------------------ [2003-06-09 09:42:08] pablo_sole at myp dot net dot ar testing the new session_regenerate_id i see that after upgrade de SID, not unlink the old session file so, when you regenerate many times the session could be used to make a DoS, or at least is not what it's expected from the function. Checking the source code, the routine free the SID and assign the new, but not unlink the old file (just like in the php_session_destroy routine). A workaround could be unlink manualy on the fly, or patch the session.c file. Sorry my poor english, but is not my native language. Any question, mail me. pablo. PD: I not have any "specific setup" or extra modules compiled in, and for that reason i don't put it here. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24096&edit=1
