Issues

ZF2-52: ::regenerateId() fails and ::rememberMe() clears session storage

Description

When using {{Zend\Authentication\Storage\Session}} there is no easy way to use {{SessionManager::rememberMe()}} due to a bug.

When creating new session cookie, SessionManager clears the whole session registry which also clears Authentication storage.

i.e.


$sessionManager->start();
$auth = new AuthService(new AuthSession('Zend_Auth','storage',$sessionManager));

// (...)  perform authentication

$auth->getStorage()->write($user->id);
$sessionManager->rememberMe(84600);   // this clears the authentication storage because of a bug.

Comments

Current session implentation performs the following tasks when regenerating id (using php session extension, assuming session started before): 1) session_start() 2) session_destroy() 3) session_regenerate_id() 4) session_start()

This will fail with PHP 5.0+, because of how session extension works. Here is a test code:


session_start();
session_destroy();
session_regenerate_id();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
// )

Note there are NO COOKIES being sent. This is because session_destroy() will prevent any consequent operations and will refuse to send proper cookies.

Here is a proper way to regenerate session id:


session_start();
// session_destroy(); DO NOT destroy session
session_regenerate_id();
// session_start();   already started
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
//     [4] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
// )

Alternatively, the regeneration has to occur BEFORE session_destroy(). This is a PHP quirk, mentioned here: http://php.net/manual/en/…


session_start();
session_regenerate_id();
session_destroy();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
//     [2] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [3] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [4] => Pragma: no-cache
// )

~Tested with PHP 5.3.6 and 5.2.9~

Please pull