Restarting session after ID regeneration looses session

Question

Restarting session after ID regeneration looses session

KacerCZ opened this issue 7 years ago · 2 comments

bug report? yes
feature request? no
version: 2.4.6

Description

I found problem with restarting session after session ID was regenerated.
This is because \Nette\Http\Session::start() takes session ID always from request cookie. Invocation of \Nette\Http\Session::regenerateId() changes session ID. Closing session and starting session again changes session ID to value which is stored in cookie, but this session ID is already deleted.

Steps To Reproduce

$session = new Session();
$session->start(); // Session ID is taken from cookie.
$session->regenerateId(); // Session ID is changed.
$session->close(); // Session with old ID is deleted, session with new ID is written.
$session->start(); // Session ID is taken from cookie - PROBLEM 
// it is old session ID, not the regenerated one and all session data are lost

Answer 1 · 2017-09-01T09:29:31.000Z

For information ID is taken from cookie since nette/nette#965.

Can you send PR?

Answer 2 · 2017-09-01T16:24:32.000Z

What is correct fix for this issue? Always get session ID using session_id() in methods start() and exists()?