Re: [RFC] [Discussion] Secure session_regenerate_id()
On Thu, Mar 20, 2014 at 11:26:13AM +0200, Andrey Andreev wrote:
> > This race condition will not change with or without my proposal.
>
> Which is another reason to leave this to user code:
>
> ajax_safe_regenerate_id($delete = TRUE)
> {
> if ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
> strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
> {
> return FALSE;
> }
>
> return session_regenerate_id($delete);
> }
This is not going to work properly, there's still race. I think that the best
solution is to handle race on client side (send request once more on session
error).
Kind Regrads,
Mateusz Kocielski
Thread (23 messages)