ZF-11420: Zend_Session doesn't allow you to destory and recreate a session

Issue Type: Bug Created: 2011-05-31T12:09:47.000+0000 Last Updated: 2011-08-26T10:59:03.000+0000 Status: Closed Fix version(s): Reporter: venu (tvgece) Assignee: Artur Bodera (joust) Tags: - Zend_Session

  • zendsession
  • zf-crteam-padraic
  • zf-crteam-priority

Related issues: - ZF-3378



My requirement is, When user agent change session should destroy, and it should start new session. But Zend_Session::start() is throwing an exception if destroy was called before start().

<pre class="highlight"> 
try {
} catch (Zend_Session_Exception $e) {
  Zend_Session::start(); // breaking here
Zend_Session::registerValidator(new Zend_Session_Validator_HttpUserAgent());


Uncaught exception 'Zend_Session_Exception' with message 'The session was explicitly destroyed during this request, attempting to re-start is not allowed.' in library\Zend\Session.php:431


Posted by venu (tvgece) on 2011-05-31T13:28:02.000+0000

I have a global session management in bootstrap, which validates the request and starts session. By that time, request won't be dispatched. Then why to make another request to redirect to another page? As we already knew that session is wrong one? we could easily start new one right?

Posted by venu (tvgece) on 2011-05-31T13:34:02.000+0000

As I understood, The reason is the second start() command is silently ignored if it was already called in that request.

Posted by Artur Bodera (joust) on 2011-08-26T10:39:03.000+0000


session_destroy() will (by design) prevent any further session cookies to be sent. This means your use case must be avoided if you are using cookies.

Here is more info in php manual comments:…

Here are my analysis on the issue:…

Posted by Artur Bodera (joust) on 2011-08-26T10:53:34.000+0000

You don't need to destroy session in order to regenerate id. That is a wrong understanding of how sessions work.

Here is how you clear a session with ZF:

<pre class="highlight">
// assuming sessionData is the namespace you're using

The above will result in all data in the namespace to be unset and this change will be saved in your session storage.

This is how you change session ID by sending a different cookie to browser:

<pre class="highlight">

This will result in generating a new session id and sending a new session cookie to the browser. The old session id (old cookie) becomes invalid after this function call.

Here is a fixed version of your source code:

<pre class="highlight">
Zend_Session::registerValidator(new Zend_Session_Validator_HttpUserAgent());

try {
} catch (Zend_Session_Exception $e) {

  // clear all data in all namespaces
  foreach(Zend_Session::getIterator() as $name=>$ns){

  // alternatively   $_SESSION = array()
  // generate new session id and send new cookie to browser

Posted by Artur Bodera (joust) on 2011-08-26T10:59:03.000+0000

It is an expected behavior as Zend_Session wraps around php built-in session support. By PHP's design, after destroying a session it must not be started again.…

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.