Hi,
On Thu, Mar 20, 2014 at 11:49 AM, Mateusz Kocielski <[email protected]> wrote:
> On Thu, Mar 20, 2014 at 11:26:13AM +0200, Andrey Andreev wrote:
>
>> > This race condition will not change with or without my proposal.
>>
>> Which is another reason to leave this to user code:
>>
>> ajax_safe_regenerate_id($delete = TRUE)
>> {
>> if ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
>> strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest')
>> {
>> return FALSE;
>> }
>>
>> return session_regenerate_id($delete);
>> }
>
> This is not going to work properly, there's still race. I think that the best
> solution is to handle race on client side (send request once more on session
> error).
There's no race condition, because there's no regeneration if the
request is done through Ajax (provided that the X-Requested-With
header is sent to tell us about that, which popular JS frameworks do),
that is the root cause of the problem.
But the bottom line is - it depends on client side implementation, and
this is an application design detail. It can't be solved by PHP.
Cheers,
Andrey.