Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Request #10729 session_regenerate_id() should be called every time start() is called
Submitted: 2007-04-14 22:16 UTC
From: repher Assigned: aashley
Status: Closed Package: Auth (version 1.5.1)
PHP Version: 5.2.0 OS: Linux/Debian
Roadmaps: 1.5.2    

 [2007-04-14 22:16 UTC] repher (Bernhard Picher)
Description: ------------ The session id should change every time the start() method is called to avoid session hijacking. Test script: --------------- function start() { $this->log('Auth::start() called.', AUTH_LOG_DEBUG); --> session_regenerate_id(true); $this->assignData(); if (!$this->checkAuth() && $this->allowLogin) { $this->login(); } }


 [2007-04-15 10:52 UTC] aashley (Adam Ashley)
patch as submitted not going to be applied. Regenerating the session id causes problems with browser back and forward in some applications, changing this now would be a BC break. Maybe doable as a configurable option.
 [2007-04-15 11:20 UTC] repher (Bernhard)
Ok. I agree. I uploaded a patch adding this configuriation option.
 [2007-06-12 03:12 UTC] aashley (Adam Ashley)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on by the end of next Sunday (CET). If this was a problem with the website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Also added code so that on initial login if regenerate session id is enabled session_regenerate_id() is called only once not twice as original patch would do. Renamed option to regenerateSessionId