Issues

ZF-1497: Zend_Session doesn't allow you to destory/recreate a session

Issue Type: Bug Created: 2007-06-05T15:45:23.000+0000 Last Updated: 2011-08-26T10:38:13.000+0000 Status: Resolved Fix version(s): - 1.0.4 (26/Feb/08)

Reporter: John Coggeshall (coogle) Assignee: Ralph Schindler (ralph) Tags: - Zend_Session

  • zf-crteam-padraic
  • zf-crteam-priority

Related issues: - ZF-11420

Attachments:

Description

The following doesn't work:

<pre class="highlight">
Zend_Session::start();
Zend_Session::destroy();
Zend_Session::start();

It never writes any session data, because the second start() command is silently ignored.

Here is a patch which fixes the problem:

<pre class="highlight">
Index: Session.php
===================================================================
--- Session.php (revision 5124)
+++ Session.php (working copy)
@@ -360,11 +360,6 @@
                . " output started in {$filename}/{$linenum}");
         }

-        // See <a href="http://www.php.net/manual/en/ref.session.php">http://www.php.net/manual/en/ref.session.php</a> for explanation
-        if (defined('SID')) {
-            throw new Zend_Session_Exception('session has already been started by session.auto-start or session_start()');
-        }
-
         /**
          * Hack to throw exceptions on start instead of php errors
          * @see <a href="http://framework.zend.com/issues/browse/ZF-1325">http://framework.zend.com/issues/browse/ZF-1325</a>
@@ -379,6 +374,7 @@
            throw new Zend_Session_Exception(__CLASS__ . '::' . __FUNCTION__ . '() - ' . Zend_Session_Exception::$sessionStartError);
         }

+        self::$_destroyed = false;
         parent::$_readable = true;
         parent::$_writable = true;
         self::$_sessionStarted = true;
@@ -594,11 +590,15 @@
         }

         session_destroy();
+
         self::$_destroyed = true;
-
+               self::$_sessionStarted = false;
+               self::$_regenerateIdState = -1;
+
         if ($remove_cookie) {
             self::expireSessionCookie();
         }
     }

Comments

Posted by Bill Karwin (bkarwin) on 2007-06-07T11:26:36.000+0000

Assign to Darby.

Posted by Ralph Schindler (ralph) on 2007-08-01T12:30:23.000+0000

John, I dont follow what the use case is here.

Start Destroy Start..

All within a single request, aside from making it "possible", I am interested in the Use case you present for applications to do this.

-ralph

Posted by John Coggeshall (coogle) on 2007-08-06T09:33:58.000+0000

The idea here probably was that I wanted to start from scratch with a new session every time that particular controller was called, although I'm pretty sure the code itself has changed to the point where that use-case has disappeared.

Regardless, nothing should just be silently ignored -- it should either tell me I'm using the API incorrectly or do what I ask it to.

Posted by Ralph Schindler (ralph) on 2008-02-14T15:09:11.000+0000

Added a check in Zend_Session::start() to throw an exception if destroy was called before start().

In r8010.

Posted by venu (tvgece) on 2011-05-31T13:10:29.000+0000

My requirement is, When user agent change session should destroy, and it should start new session. But Zend_Session::start() is throwing an exception if destroy was called before start().

try { 
Zend_Session::start();
 } catch (Zend_Session_Exception $e) {
 Zend_Session::destroy(true); 
Zend_Session::start(); // breaking here 
Zend_Session::regenerateId(); 
}
Zend_Session::registerValidator(new Zend_Session_Validator_HttpUserAgent());

I have a global session management in bootstrap, which validates the request and starts session. By that time, request won't be dispatched. Then why to make another request to redirect to another page? As we already knew that session is wrong one? we could easily start new one right?

Posted by venu (tvgece) on 2011-05-31T13:11:32.000+0000

I have posted a new issue here, Please check it once

Posted by venu (tvgece) on 2011-05-31T13:14:37.000+0000

here it is http://framework.zend.com/issues/browse/ZF-11420

Posted by Artur Bodera (joust) on 2011-08-26T10:38:13.000+0000

IMPORTANT! session_destroy() will (by design) prevent any further session cookies to be sent. This means your use case must be avoided if you are using cookies.

Here is more info in php manual comments: http://php.net/manual/en/…

Here are my analysis on the issue: http://framework.zend.com/issues/browse/…

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts