Hi all,

On Sun, Mar 1, 2015 at 1:53 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:

> https://bugs.php.net/bug.php?id=69127
>
> This bug is known fatal bug for session module. I proposed "lazy_destroy"
> to fix
> this before, but it declined.
>
> I think the name was wrong. With the proposal, session module destories
> session data with lazy manner, but it's actually precise manner. i.e.
> Session
> module and browser is _not_ synced, so destroy must be done async manner
> (~= lazy manner. For example, delete session data 60 seconds later).
>
> The reason why session_regenerate_id(true) fails is it deletes session
> data
> immediately even if session and browser is not in sync. Session and
> browser
> cannot sync because there is no means in HTTP/Cookie.
>
> Is there any other better idea for this?
>

I would like to fix this bug transparently. i.e. User cannot detect already
destroyed
session that is accessible.

The method is:

1. Add "__SESSION_TTL__", which has TTL timestamp, to $_SESSION hash before
serialization.
2. If session module finds "__SESSION_TTL__" in unserialized data and TTL
is past, then
regenerate session ID and create new session with empty data. (Old session
data is deleted actually)
3. If session is accessible by step 2, store TTL to PS(ttl) and initialize
$_SESSION without "__SESSION_TTL__".
4. If PS(ttl) has value greater than 0, add PS(ttl) back to session data
before serialization.

Note: Serialization/unserialization is done in session module. User cannot
know the existence.


I don't think users are using "__SESSION_TTL__" key for $_SESSION, but it
is possible.
If there is invalid "__SESSION_TTL__" in $_SESSION, raise E_NOTICE and
remove the key from
$_SESSION.

BC happens only when "__SESSION_TTL__" is used by users.

I would like to fix this in released versions, but it requires addition to
session module globals.
Fix will be only available to PHP7.

However, PS(ttl) can be added to the end of PS(). If this is OK, I'll fix
this bug from PHP 5.4.

Comments are appreciated.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to