| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.6.4 |
| Request #7031 | I hope not to use "session_regenerate_id". | ||
|---|---|---|---|
| Submitted: | 2006-03-06 12:41 UTC | ||
| From: | daikon0209 at gmail dot com | Assigned: | aashley |
| Status: | Closed | Package: | Auth (version 1.3.0) |
| PHP Version: | 5.1.2 | OS: | Windows/Linux |
| Roadmaps: | (Not assigned) | ||
[2006-03-06 12:41 UTC] daikon0209 at gmail dot com
(daikon)
Description:
------------
I hope not to use "session_regenerate_id".
Because,
1.So that the session file may remain.
1-2. It can hijack the session.
2.If "session_destroy" is done after "session_regenerate_id", it becomes an error. I can not change session ID.
3."session_regenerate_id" is mounted since PHP 4.3.2.
Thank you.
Test script:
---------------
function session_switching()
{
$QQ = serialize($_SESSION);
session_destroy();
session_id(md5(uniqid(rand(),1)));
session_start();
$_SESSION = unserialize($QQ);
}
Comments
[2006-08-10 02:08 UTC] aashley at php dot net
(Adam Ashley)
For now I've added the parameter to session_regenerate_id() that will force it to delete previous session storage in PHP5.1.0+. If someone has a fix that works for earlier versions of PHP (the above code sample doesn't) please reopen this ticket.