Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't delete session data when regenerating ids on login #556

Closed
wants to merge 1 commit into from
Closed

Don't delete session data when regenerating ids on login #556

wants to merge 1 commit into from

Conversation

airbone42
Copy link

this would also remove the data of logged in user, so a login is actually not possible.

See the php manual for details on using session_regenerate_id: http://www.php.net/manual/en/function.session-regenerate-id.php

@verklov verklov self-assigned this Apr 22, 2014
@verklov
Copy link
Contributor

verklov commented Apr 22, 2014

@airbone42, thank you for your contribution! We created ticket in the backlog and will get back to you once the team processes it.

@airbone42
Copy link
Author

Actually this might be the fix for #449

@verklov
Copy link
Contributor

verklov commented Apr 24, 2014

@airbone42, the team has reviewed this issue. Below is the response from the developer:

The proposed session_regenerate_id(false) does not delete an old session. If we don't delete old session, then it leads to possible session hijacking because session_regenerate_id(false) leaves old, but still valid sessions inside the /tmp directory.

The description "this would also remove the data of logged in user, so a login is actually not possible." can be true ONLY in case with multiple requests, when they are put in queue:
Request 1(login): session_regenerate_id(true) changes session ID and deletes the old session(guest session).
Request 2: still has an old session ID(which doesn't exist) which leads to starting a new session.
Result: user is logged out.
So it doesn't make any sense to use session_regenerate_id(false), because we use session id regenerating only on login and the issue with multiple requests is not a case.

Unfortunately we do not accept this contribution and are closing this issue.

Nevertheless, thank you for the idea and please continue finding places that can be improved in Magento 2!

@verklov verklov closed this Apr 24, 2014
magento-team pushed a commit that referenced this pull request Oct 21, 2015
@slavvka
Merge pull request #556 from magento-south/merchant_beta
1bc2180 
[MERCHANT_BETA][SOUTH+TROLL] Create a customer on the frontend, open customer acct in admin, receive error message
magento-team pushed a commit that referenced this pull request Apr 22, 2016
Merge pull request #556 from magento-mpi/pr-mpi-200416
9581647 
[MPI] Bugfixes
okorshenko pushed a commit that referenced this pull request Feb 7, 2017
Merge pull request #556 from magento-okapis
2347bc6 
MAGETWO-60364: Prepare code base for 2.1.4-dev release
magento-devops-reposync-svc pushed a commit that referenced this pull request Sep 8, 2023
@andimov
Merge pull request #556 from magento-performance/ACPT-1186
6701fc9 
ACPT-1186: Add ability to find non-changing mutable state in GraphQlStateTest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@verklov verklov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@airbone42 @verklov