session_regenerate_id executing... double?

StackOverflow https://stackoverflow.com/questions/22665820

  •  21-06-2023
  •  | 
  •  

Question

I have a strange issue that drives me mad... I was writing my own MVC framework and I was working on session management with mysql, when I noticed that the session_regenerate_id function sometimes was generating new sessions from nowhere... After many hours trying guess what the hell could be wrong, i ended up to bypass all my code and run a white page with this simple php script:

<?php
if(!isset($_SESSION)){
session_start();
$_SESSION['user']='kikko68';
$_SESSION['name']='cristian';
$_SESSION['mail']='cri89@kij.com';
}
$old=session_id();
session_regenerate_id(true);
$new=session_id();
echo"OLD = ".$old."<br>NEW = ".$new;
?>

I've tested this script on a web server and this is the result:

---------------load page---------------------
OLD = ffa4e90763d61a2f733364fddb86bbf4
NEW = 7293a7268c77406075c78a38bc148c34
---------------refresh-----------------------
OLD = 7293a7268c77406075c78a38bc148c34
NEW = d21e6da87635fb2934b286679850c830
---------------refresh-----------------------
OLD = d21e6da87635fb2934b286679850c830
NEW = 9686e91f66565358bceaa4bac8d8a563

And as you can see at every refresh the NEW id becomes the OLD one.

On my local installation instead (XAMPP), things seems to have any sense...

---------------load page---------------------
OLD = c1vgleb55j0tpeu21mr3l1rip5
NEW = dn2hfst79nuqtcegi91qikrv34
---------------refresh-----------------------
OLD = th1tk5dmaovdlrdka4frf07is0
NEW = s7a990magimfccc0qtnl66rfp0
---------------refresh-----------------------
OLD = hkpadq4pjtbtcmap3m3322al21
NEW = q17lh3asev8rkv3ld1f4mu2tk0

Someone can explain me the reason why this is happening? Thanks.

Was it helpful?

Solution

The server results make sense to me, and the XAMPP results do not. It would appear that in the XAMPP environment, the old session is never being recognized at all. So session_start() creates a brand new one with a new ID (that's ID change #1) and then your session_regenerate_id() call creates a further new one (that's ID change #2).

To test, capture the session ID immediately after session_start(). The question should become, not "Why are two IDs being generated in my script?" but "Why is my script not finding and loading a valid session on session_start()?"

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top