bug #12326 [Session] remove invalid hack in session regenerate (Tobion)

fabpot · fabpot · commit eb4b20f471ba · 2014-11-02T01:24:31.000+01:00
This PR was merged into the 2.3 branch. Discussion ---------- [Session] remove invalid hack in session regenerate | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - The original issue #7380 was just caused because the developer missed to save the session before doing the redirect. That's all. Such mistakes won't happen anymore with #12341 This reverts #8270 and following. Also it makes absolutely no sense to do this only for the `files` save handler which creates huge inconsistencies. All save handlers are affected and it's more a documentation thing. Commits ------- 703d906 [Session] remove invalid workaround in session regenerate
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -206,23 +206,7 @@ public function regenerate($destroy = false, $lifetime = null)
             $this->metadataBag->stampNew();
         }
 
-        $ret = session_regenerate_id($destroy);
-
-        // workaround for https://bugs.php.net/bug.php?id=61470 as suggested by David Grudl
-        if ('files' === $this->getSaveHandler()->getSaveHandlerName()) {
-            session_write_close();
-            if (isset($_SESSION)) {
-                $backup = $_SESSION;
-                session_start();
-                $_SESSION = $backup;
-            } else {
-                session_start();
-            }
-
-            $this->loadSession();
-        }
-
-        return $ret;
+        return session_regenerate_id($destroy);
     }
 
     /**
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/SessionStorageInterface.php b/src/Symfony/Component/HttpFoundation/Session/Storage/SessionStorageInterface.php
@@ -88,6 +88,14 @@ public function setName($name);
      * Note regenerate+destroy should not clear the session data in memory
      * only delete the session data from persistent storage.
      *
+     * Care: When regenerating the session ID no locking is involved in PHPs
+     * session design. See https://bugs.php.net/bug.php?id=61470 for a discussion.
+     * So you must make sure the regenerated session is saved BEFORE sending the
+     * headers with the new ID. Symfonys HttpKernel offers a listener for this.
+     * See Symfony\Component\HttpKernel\EventListener\SaveSessionListener.
+     * Otherwise session data could get lost again for concurrent requests with the
+     * new ID. One result could be that you get logged out after just logging in.
+     *
      * @param bool    $destroy  Destroy session when regenerating?
      * @param int     $lifetime Sets the cookie lifetime for the session cookie. A null value
      *                          will leave the system settings unchanged, 0 sets the cookie
