Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.5.6

Request #8911 Add the possibilty to change the session id after destroy of old one.
Submitted: 2006-10-08 14:12 UTC
From: simon at ruderich dot com Assigned: troehr
Status: Closed Package: HTTP_Session (version 0.5.3)
PHP Version: Irrelevant OS: Mac OS X 10.4
Roadmaps: (Not assigned)    

 [2006-10-08 14:12 UTC] simon at ruderich dot com (Simon Ruderich)
Description: ------------ I'm trying to destroy the current session id (and data) and create a new one with new data in the same script. I'm doing this to prevent session injections, because the attacker could select the session id which I want to prevent. So I need a possibility to change the session id after I destroyed the old one when I create a new one within the same script. I looked in the sources of HTTP/Session.php and came up with a small addition which would add the possibility to HTTP_Session::start() to change the session id if it's requested. I added an example script which uses my small addition and shows the difference between the "old" and "new" behavior. --- Session.php (0.5.3b) 2006-10-08 15:57:47.000000000 +0200 +++ Session.php (my change) 2006-10-08 15:59:17.000000000 +0200 @@ -140,15 +140,18 @@ * @param $name string Name of a session, default is 'SessionID' * @param $id string Id of a session which will be used * only when the session is new + * @param $changeSID boolean change the session id to a new on, if $id is + * specified this one is used, otherwise it is randomly + * generated * @return void * @see session_name() * @see session_id() * @see session_start() */ - function start($name = 'SessionID', $id = null) + function start($name = 'SessionID', $id = null, $changeSID = false) { HTTP_Session::name($name); - if (is_null(HTTP_Session::detectID())) { + if (is_null(HTTP_Session::detectID()) or $changeSID) { HTTP_Session::id($id ? $id : uniqid(dechex(rand()))); } session_start(); Test script: --------------- <?php require_once 'HTTP/Session.php'; HTTP_Session::useCookies( true ); HTTP_Session::start( 'mysession' ); echo 'session_id: ', HTTP_Session::id(), '<br>', "\n"; HTTP_SESSION::destroy(); # "old" version (result in "Actual result"): HTTP_Session::useCookies( true ); # "new" version (result in "Expected result"): HTTP_Session::useCookies( true, null, true ); # generate a new session id HTTP_SESSION::start( 'mysession' ); echo 'session_id: ', HTTP_Session::id(), '<br>', "\n"; ?> Expected result: ---------------- "new" result (just an example): session_id: 393f53b54529057b1aca2 session_id: 5e836a0f4529057f9b068 Actual result: -------------- "old" result (just an example): session_id: 14822e9845290214b48cf session_id: 14822e9845290214b48cf


 [2006-10-12 14:13 UTC] troehr (Torsten Roehr)
Sorry, but your problem does not imply a bug in PEAR itself. For a list of more appropriate places to ask for help using PEAR, please visit as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PEAR. The required effect can be achieved with: require_once 'HTTP/Session.php'; HTTP_Session::useCookies(true); HTTP_Session::start('mysession', 1111); echo 'session_id: ', session_id(), '<br>', "\n"; HTTP_Session::destroy(); HTTP_Session::start('mysession', 9999); echo 'session_id: ', session_id(), '<br>', "\n"; Also, see:
 [2006-10-12 17:09 UTC] simon at ruderich dot com
But the problem with this solution is that I have to create the session id by myself. I would be much better if I could delegate this task to HTTP_Session. If the creation of the session id will ever change I would have to change all my own session ids to match the creation; for example a new security advice to make the sessions unique. This is an overhead. I know how session_regenerate_id() works so it would be nice if HTTP_Session would replicate this function. The best way would to achieve this would be to add a new function: HTTP_SESSION::regenerate(). Thanks in advance, Simon
 [2006-10-21 12:51 UTC] troehr (Torsten Roehr)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on by the end of next Sunday (CET). If this was a problem with the website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Added regenerateId() to CVS.