ZF2-52: ::regenerateId() fails and ::rememberMe() clears session storage

Issue Type:
Bug
Created:
2011-08-22T07:24:49.000+0000
Last Updated:
2011-08-25T12:15:04.000+0000
Status:
Resolved
Fix version(s):
    Reporter:
    Artur Bodera (joust)
    Assignee:
    Artur Bodera (joust)
    Tags:
    • Zend\Authentication
    • Zend\Session
    Related issues:
    Attachments:

    Description

    When using {{Zend\Authentication\Storage\Session}} there is no easy way to use {{SessionManager::rememberMe()}} due to a bug.

    When creating new session cookie, SessionManager clears the whole session registry which also clears Authentication storage.

    i.e.

    
$sessionManager->start();
$auth = new AuthService(new AuthSession('Zend_Auth','storage',$sessionManager));

// (...)  perform authentication

$auth->getStorage()->write($user->id);
$sessionManager->rememberMe(84600);   // this clears the authentication storage because of a bug.

    Comments

    Posted by Artur Bodera (joust) on 2011-08-22T09:50:43.000+0000

    Current session implentation performs the following tasks when regenerating id (using php session extension, assuming session started before): 1) session_start() 2) session_destroy() 3) session_regenerate_id() 4) session_start()

    This will fail with PHP 5.0+, because of how session extension works. Here is a test code:

    
session_start();
session_destroy();
session_regenerate_id();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
// )

    Note there are NO COOKIES being sent. This is because session_destroy() will prevent any consequent operations and will refuse to send proper cookies.

    Here is a proper way to regenerate session id:

    
session_start();
// session_destroy(); DO NOT destroy session
session_regenerate_id();
// session_start();   already started
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
//     [4] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
// )

    Alternatively, the regeneration has to occur BEFORE session_destroy(). This is a PHP quirk, mentioned here: http://php.net/manual/en/…

    
session_start();
session_regenerate_id();
session_destroy();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
//     [2] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [3] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [4] => Pragma: no-cache
// )

    ~Tested with PHP 5.3.6 and 5.2.9~

    Posted by Artur Bodera (joust) on 2011-08-22T10:38:30.000+0000

    Pull request: https://github.com/zendframework/zf2/pull/352

    Posted by Artur Bodera (joust) on 2011-08-25T12:15:04.000+0000

    Please pull