Hi all,
On Mon, Jan 20, 2014 at 1:27 PM, Yasuo Ohgaki <[email protected]> wrote:
> With AJAX or browser supports concurrent access to server,
> concurrent access to server is possible.
>
> When session ID is regenerated, it is possible that some connections
> access to
> server with old session ID. i.e. Race condition.
>
> When this happened, old session that may be known to attacker may be
> reinitialized or new unneeded session ID is created when
> use_strict_mode=On.
>
> Allowing access to old session data for a while prevents these cases that
> initialize
> unneeded session.
>
> RFC proposes deletion flag in $_SESSION. It's a little dirty,
> but it's faster and simpler. It would be acceptable because the session is
> deleted one.
>
Additional comment for this.
session_destroy()/session_gc() deletes session data immediately.
session.lazy_destroy is applicable only when session_regenerate_id() is
called.
The name (session.lazy_destroy) might be better to be changed or
it might be better apply for session_destroy() since there would be
similar race condition like session_regenerate_id().
Regards,
--
Yasuo Ohgaki
[email protected]