destroy session on regenerate session when session is active

mezzio / mezzio-session-ext

ext-session persistence adapter for mezzio-session

https://docs.mezzio.dev/mezzio-session-ext/

BSD 3-Clause "New" or "Revised" License

7 stars 14 forks source link

destroy session on regenerate session when session is active #1

Closed weierophinney closed 4 years ago

weierophinney commented 4 years ago

There is a use case when session already started before, and already set some value, eg: on csrf session data on a login form. When authenticate, it call the session regenerate, which session id changed, but left the old session not persisted (unset not applied as session id changed), so old session with the value remain in the disk.

To avoid it, I think we can apply session_destroy() before session_write_close() whenever session is active.

Originally posted by @samsonasik at https://github.com/zendframework/zend-expressive-session-ext/pull/47

weierophinney commented 4 years ago

@michalbundyra I've added unit test for test old session destroyed first on regenerate session id on persist session.

Originally posted by @samsonasik at https://github.com/zendframework/zend-expressive-session-ext/pull/47#issuecomment-569059652

weierophinney commented 4 years ago

hm..., the test is working locally, while in travis, it still failure, I even use @runInSeparateProcess

Originally posted by @samsonasik at https://github.com/zendframework/zend-expressive-session-ext/pull/47#issuecomment-569061180

weierophinney commented 4 years ago

@michalbundyra travis green now with use custom session path in unit test, please check it.

Originally posted by @samsonasik at https://github.com/zendframework/zend-expressive-session-ext/pull/47#issuecomment-569062708

michalbundyra commented 4 years ago

@samsonasik Fixed in 1.7.1.