admin管理员组

文章数量:1422205

I have a method createSession() that calls session_regenerate_id(true); to prevent session fixation:

class Session {
    public string $id;
    public string $username;
    public string $role;

    public function __construct(){
        session_start();
        $this->id = $_SESSION['id'] ?? 0;
        $this->role = $_SESSION['role'] ?? 'guest';
        $this->username = $_SESSION['username']  ?? 'Guest User';
    }

    public function updateSession(array $user){
        $this->createSession($user);
    }

    public function createSession(array $user){
        session_regenerate_id(true);
        $_SESSION['id'] = $user['id'];
        $_SESSION['username'] = strstr($user['email'], '@', true);
        $_SESSION['expire'] = time() + 30 * 60;
        $_SESSION['role'] = $user['role'];
    }

    public function destroySession(){
        $_SESSION = [];
        $cookie_data = session_get_cookie_params();
        setCookie(session_name(), '', time() - 42000, $cookie_data['path'], $cookie_data['domain'], $cookie_data['httponly']);
        session_destroy();
    }
}

After calling this function, all previous session data seems to be lost.

Is this behavior normal? How can I securely regenerate the session without losing existing data?

Do I need to manually copy session values before regenerating?

I’m using PHP 8.2 and storing sessions in the default file-based handler. Could the session storage settings affect this ?

I have a method createSession() that calls session_regenerate_id(true); to prevent session fixation:

class Session {
    public string $id;
    public string $username;
    public string $role;

    public function __construct(){
        session_start();
        $this->id = $_SESSION['id'] ?? 0;
        $this->role = $_SESSION['role'] ?? 'guest';
        $this->username = $_SESSION['username']  ?? 'Guest User';
    }

    public function updateSession(array $user){
        $this->createSession($user);
    }

    public function createSession(array $user){
        session_regenerate_id(true);
        $_SESSION['id'] = $user['id'];
        $_SESSION['username'] = strstr($user['email'], '@', true);
        $_SESSION['expire'] = time() + 30 * 60;
        $_SESSION['role'] = $user['role'];
    }

    public function destroySession(){
        $_SESSION = [];
        $cookie_data = session_get_cookie_params();
        setCookie(session_name(), '', time() - 42000, $cookie_data['path'], $cookie_data['domain'], $cookie_data['httponly']);
        session_destroy();
    }
}

After calling this function, all previous session data seems to be lost.

Is this behavior normal? How can I securely regenerate the session without losing existing data?

Do I need to manually copy session values before regenerating?

I’m using PHP 8.2 and storing sessions in the default file-based handler. Could the session storage settings affect this ?

  • php
  • session
Share Improve this question asked Mar 13 at 9:55 hoshiiseventeenhoshiiseventeen 11 silver badge 2
  • The documentation has a warning about potential lost session data (and examples you might be interested in). – AymDev Commented Mar 13 at 10:21
  • Because when you call session_regenerate_id(true) it regenerates the session ID and deletes the old session data, including all the session variables. While, session_regenerate_id(false) or session_regenerate_id() regenerates the session ID without deleting the old session data. All these approaches prevent session fixation. You don't need to manually copy session variables if you use session_regenerate_id(false) or session_regenerate_id() as they already preserve the session data. – Richard Commented Mar 14 at 18:48
Add a comment  | 

1 Answer 1

Reset to default 3

From the PHP manual:

function session_regenerate_id(bool $delete_old_session = false): bool {}

This is how the function is defined, so just call the function without passing the delete_old_session parameter:

session_regenerate_id();

Is this behavior normal?

Yes, as long as you pass true for the delete_old_session parameter, the old session is deleted.

How can I securely regenerate the session without losing existing data?

By using the default for the delete_old_session parameter, that is either leaving it out (the code example above) or passing the default value, false.

Do I need to manually copy session values before regenerating?

No, not at all. And also don't do it, because you have more code to debug and maintain.

I’m using PHP 8.2 and storing sessions in the default file-based handler. Could the session storage settings affect this ?

No, not in your case. It would have been an issue with the file-based handler if the data would not have been deleted.

See as well: Confusion with PHP session_regenerate_id (Q&A)

本文标签: phpWhy do my session variables disappear after calling sessionregenerateid(true)Stack Overflow

版权声明:本文标题:php - Why do my session variables disappear after calling session_regenerate_id(true)? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744709521a2621043.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。