Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Request #7031 I hope not to use "session_regenerate_id".
Submitted: 2006-03-06 12:41 UTC
From: daikon0209 at gmail dot com Assigned: aashley
Status: Closed Package: Auth (version 1.3.0)
PHP Version: 5.1.2 OS: Windows/Linux
Roadmaps: (Not assigned)    
Subscription  


 [2006-03-06 12:41 UTC] daikon0209 at gmail dot com (daikon)
Description: ------------ I hope not to use "session_regenerate_id". Because, 1.So that the session file may remain. 1-2. It can hijack the session. 2.If "session_destroy" is done after "session_regenerate_id", it becomes an error. I can not change session ID. 3."session_regenerate_id" is mounted since PHP 4.3.2. Thank you. Test script: --------------- function session_switching() { $QQ = serialize($_SESSION); session_destroy(); session_id(md5(uniqid(rand(),1))); session_start(); $_SESSION = unserialize($QQ); }

Comments

 [2006-08-10 02:08 UTC] aashley at php dot net (Adam Ashley)
For now I've added the parameter to session_regenerate_id() that will force it to delete previous session storage in PHP5.1.0+. If someone has a fix that works for earlier versions of PHP (the above code sample doesn't) please reopen this ticket.