Re: [RFC] [Discussion] Secure session_regenerate_id()
Hi,
>> Consider following scenario:
>>
>> 1. session_regenerate_id(..) is called
>> 2. request to /update_session with old session id is done (some key-value
>> in
>> session is changed) - with your change this request will succeed
>> --- from here user uses only new session -
>> 3. updated key-value is missing in new session
>>
>> (same scenario can be triggered now if old session is not deleted)
>
>
> This race condition will not change with or without my proposal.
Which is another reason to leave this to user code:
ajax_safe_regenerate_id($delete = TRUE)
{
if ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
{
return FALSE;
}
return session_regenerate_id($delete);
}
Cheers,
Andrey.
Thread (23 messages)