tags:

views:

479

answers:

2
Q: 

Zend_Session lost when using regenerateId()

I've had this problem in a couple of ZF applications now and it's very frustrating:

Near the top of my bootstrap I have the following two lines

Zend_Session::start();
Zend_Session::regenerateId();

My application requires authentication using Zend_Auth and uses default session storage for persisting an identity. At random the session is lost giving the effect that the user has logged out. If I remove the call to Zend_Session::regenerateId() the session is not lost.

Regenerating the session id increases security so I'd like to get this working. This problem occurs on both my local development server (windows) and our staging server (linux)

+3  A: 

Hi dcaunt,

After reading your question i have been looking for a solution to your problem. Actually according to Zend Framework: Documentation the solution is quiet easy.

"If a user has successfully logged into your website, use rememberMe() instead of regenerateId()."

I hope this will help you out.

Greetings,

Younes

[edit: this is the link of where i found this: Zend Framework: Documentation

Younes  2009-04-03 12:49:08
Seems to work - I had read the docs and not acknowledged its relevance. Looking at the source code, I don't know why it works - it seems to just call regeneratedId after setting a session expiry date/time. Many thanks
David Caunt  2009-04-03 13:00:18
+2  A: 

Hey David,

I've had a related problem with Zend_Session. Your session might have gotten lost due to the following problem:

try using this: 

Zend_Session::rememberMe(100); // any value here

Then go to any of your pages in the application with your session data set (user logged in for example) and click on the refresh button of the browser very quickly (like double clicking) for 3-5 times. You'll see that your session data has disappeared :(

The only way I could deal with this is by not using the rememberMe() method for now. I hope somebody will shed light on this issue here. What I think is that the regenerateId() method somehow messes up the cookie value so that subsequent calls from the browser to the server do not get associated with an existing session id.

Slavic  2010-09-27 16:00:16
You're right - I've experienced this a lot when making asynchronous requests, as they can cause a race condition and an older session ID overwrites the latest one. The best advice I have read is to regenerate the session ID when a change in state is made, i.e. the user is logged in, rather than on every page. This avoids session fixation attacks.
David Caunt  2010-09-28 11:11:45

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases