[Solved] PHP and session loss on session_regenerate

D

DorBer2011-02-18 11:36:16

PHP

DorBer, 2011-02-18 11:36:16

[Solved] PHP and session loss on session_regenerate_id()

In short, we take the code:

<?php

session_start();

if (!isset($_SESSION['a']))
{
	$_SESSION['a'] = 0;
}

ob_start();

print $_SESSION['a'];

$_SESSION['a']++;

session_regenerate_id(true);

?>

Open in firefox, refresh the page several times. The counter is growing.
We hold down Ctrl-R and we see that we have lost the session.

The example is somewhat synthetic, but often a similar effect occurs during normal operation with the application. The bottom line is that the session identifier has changed, and the browser did not have time (or did not want to) accept the cookie.

Is it being treated?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexey Shein, 2011-02-18
@DorBer

Apparently, a race condition occurs here due to the many parallel requests trying to write their data to the session file. Add before session_regenerate_id(true);a call session_write_close();read, by the way, the description to this function.
In general, to prevent this from happening, session_regenerate_id(true);they usually put it right after the call session_start();.
With your synthetic example, I succeeded in both cases.

E

Eugene, 2011-02-18
@Nc_Soft

why use session_regenerate_id at all?