Open zuozp8 opened 7 years ago
as far as i can debug it seems that session_regenerate_id(true)
used in \yii\web\Session::regenerateID
is not atomic
/var/lib/php/sessions# inotifywait -m -r --format '%:e %f' .
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
OPEN sess_jbcqd8c0ocj3k1jvcjou9mesei
ACCESS sess_jbcqd8c0ocj3k1jvcjou9mesei
CLOSE_WRITE:CLOSE sess_jbcqd8c0ocj3k1jvcjou9mesei
DELETE sess_jbcqd8c0ocj3k1jvcjou9mesei
…
http://php.net/manual/en/function.session-regenerate-id.php warns not to destroy session immediately, i think there must be extra field 'invalid'
saved in old session before logout/destroy/regenerate, and it has to be checked every time session in loaded
What steps will reproduce the problem?
controllers\Sitecontroller.php
, addsleep(3);
at the start of actionLogoutWhat is the expected result?
be logged out
What do you get instead?
still logged in
Additional info
The issue occures (without adding sleep) rarely in my ajax-heavy application. I tested it on both default session storage using filesystem and using memcached