Bug #43110

FlowSession: renewId() looses data of existing session

Added by Robert Lemke over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
Session
Start date:
2012-11-19
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.3
Has patch:
No
Complexity:
medium

Description

Using FlowSession, on renewing the session identifier (for example after an authenticate() call), some session data seems to get lost, most importantly the security context.

This is due to the current implementation of renewId() which loads (ie. unserializes) all current session data in order to store it to cache entries with the new session id. This effectively overwrites any security context or other session-scoped object currently in memory with the state found in the old cache entry.

Also available in: Atom PDF