Skip to content

fix(session): log session_regenerate_id for debugging #53505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

fix(session): log session_regenerate_id for debugging #53505

wants to merge 1 commit into from
+7 −0

Conversation

ChristophWurst
Copy link
Member

Summary

From https://www.php.net/manual/en/function.session-regenerate-id.php

You should not destroy old session data immediately, but should use destroy time-stamp and control access to old session ID. Otherwise, concurrent access to page may result in inconsistent state, or you may have lost session, or it may cause client (browser) side race condition and may create many session ID needlessly. Immediate session data deletion disables session hijack attack detection and prevention also.

A session decryption error like HMAC mismatch triggers the session ID to regenerate, which in turn could lead to a lost session.

TODO

  • ...

Checklist

@ChristophWurst ChristophWurst self-assigned this Jun 16, 2025
@ChristophWurst ChristophWurst mentioned this pull request Jun 16, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ChristophWurst ChristophWurst

Labels
2. developing Work in progress feature: authentication
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ChristophWurst