Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Request #10729 session_regenerate_id() should be called every time start() is called
Submitted: 2007-04-14 22:16 UTC
From: repher Assigned: aashley
Status: Closed Package: Auth (version 1.5.1)
PHP Version: 5.2.0 OS: Linux/Debian
Roadmaps: 1.5.2    
Subscription  


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 24 + 7 = ?

 
 [2007-04-14 22:16 UTC] repher (Bernhard Picher)
Description: ------------ The session id should change every time the start() method is called to avoid session hijacking. Test script: --------------- function start() { $this->log('Auth::start() called.', AUTH_LOG_DEBUG); --> session_regenerate_id(true); $this->assignData(); if (!$this->checkAuth() && $this->allowLogin) { $this->login(); } }

Comments

 [2007-04-15 10:52 UTC] aashley (Adam Ashley)
patch as submitted not going to be applied. Regenerating the session id causes problems with browser back and forward in some applications, changing this now would be a BC break. Maybe doable as a configurable option.
 [2007-04-15 11:20 UTC] repher (Bernhard)
Ok. I agree. I uploaded a patch adding this configuriation option.
 [2007-06-12 03:12 UTC] aashley (Adam Ashley)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Also added code so that on initial login if regenerate session id is enabled session_regenerate_id() is called only once not twice as original patch would do. Renamed option to regenerateSessionId