On Thu, Mar 20, 2014 at 12:04:23PM +0200, Andrey Andreev wrote:
> Hi,
>
> On Thu, Mar 20, 2014 at 11:49 AM, Mateusz Kocielski <[email protected]> wrote:
> > On Thu, Mar 20, 2014 at 11:26:13AM +0200, Andrey Andreev wrote:
> >
> >> > This race condition will not change with or without my proposal.
> >>
> >> Which is another reason to leave this to user code:
> >>
> >> ajax_safe_regenerate_id($delete = TRUE)
> >> {
> >> if ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
> >> strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) ===
> >> 'xmlhttprequest')
> >> {
> >> return FALSE;
> >> }
> >>
> >> return session_regenerate_id($delete);
> >> }
> >
> > This is not going to work properly, there's still race. I think that the best
> > solution is to handle race on client side (send request once more on session
> > error).
>
> There's no race condition, because there's no regeneration if the
> request is done through Ajax (provided that the X-Requested-With
> header is sent to tell us about that, which popular JS frameworks do),
> that is the root cause of the problem.
> But the bottom line is - it depends on client side implementation, and
> this is an application design detail. It can't be solved by PHP.
There are still multitab apps and thousand other cases we might consider, but
it will be better to not go further. ;) I think that we agree, that it's not
the PHP core task to handle it.
Kind Regards,
Mateusz Kocielski