Issues

ZF2-52: ::regenerateId() fails and ::rememberMe() clears session storage

Issue Type: Bug Created: 2011-08-22T07:24:49.000+0000 Last Updated: 2011-08-25T12:15:04.000+0000 Status: Resolved Fix version(s): Reporter: Artur Bodera (joust) Assignee: Artur Bodera (joust) Tags: - Zend\Authentication

  • Zend\Session

Related issues: Attachments: - ZF2-52.patch

Description

When using Zend\Authentication\Storage\Session there is no easy way to use SessionManager::rememberMe() due to a bug.

When creating new session cookie, SessionManager clears the whole session registry which also clears Authentication storage.

i.e.

<pre class="highlight">
$sessionManager->start();
$auth = new AuthService(new AuthSession('Zend_Auth','storage',$sessionManager));

// (...)  perform authentication

$auth->getStorage()->write($user->id);
$sessionManager->rememberMe(84600);   // this clears the authentication storage because of a bug.

Comments

Posted by Artur Bodera (joust) on 2011-08-22T09:50:43.000+0000

Current session implentation performs the following tasks when regenerating id (using php session extension, assuming session started before): 1) session_start() 2) session_destroy() 3) session_regenerate_id() 4) session_start()

This will fail with PHP 5.0+, because of how session extension works. Here is a test code:

<pre class="highlight">
session_start();
session_destroy();
session_regenerate_id();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
// )

Note there are NO COOKIES being sent. This is because session_destroy() will prevent any consequent operations and will refuse to send proper cookies.

Here is a proper way to regenerate session id:

<pre class="highlight">
session_start();
// session_destroy(); DO NOT destroy session
session_regenerate_id();
// session_start();   already started
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [2] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [3] => Pragma: no-cache
//     [4] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
// )

Alternatively, the regeneration has to occur BEFORE session_destroy(). This is a PHP quirk, mentioned here: http://php.net/manual/en/…

<pre class="highlight">
session_start();
session_regenerate_id();
session_destroy();
session_start();
print_r(headers_list());

// Array
// (
//     [0] => X-Powered-By: PHP/5.3.6
//     [1] => Set-Cookie: PHPSESSID=4412k2at1c8temh9fepgcleau0; path=/
//     [2] => Expires: Thu, 19 Nov 1981 08:52:00 GMT
//     [3] => Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
//     [4] => Pragma: no-cache
// )

~Tested with PHP 5.3.6 and 5.2.9~

Posted by Artur Bodera (joust) on 2011-08-22T10:38:30.000+0000

Pull request: https://github.com/zendframework/zf2/pull/352

Posted by Artur Bodera (joust) on 2011-08-25T12:15:04.000+0000

Please pull

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts