Session not destroyed on logout

[zuozp8]

What steps will reproduce the problem?

• setup basic app with multithreaded server (builtin php won't work, you need for instance nginx+fpm)
• edit controllers\Sitecontroller.php, add sleep(3); at the start of actionLogout
• login
• click Logout and then quickly click Contact
• refresh

What is the expected result?

be logged out

What do you get instead?

still logged in

Additional info

Q	A
Yii version	dev-master 55cbe844b641f712bfe5c9bb8ef675e6ef287b4c
PHP version	7.1
Operating system	Ubuntu

The issue occures (without adding sleep) rarely in my ajax-heavy application. I tested it on both default session storage using filesystem and using memcached

[zuozp8]

as far as i can debug it seems that session_regenerate_id(true) used in \yii\web\Session::regenerateID is not atomic

/var/lib/php/sessions# inotifywait -m -r --format '%:e %f' .
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
OPEN sess_jbcqd8c0ocj3k1jvcjou9mesei
ACCESS sess_jbcqd8c0ocj3k1jvcjou9mesei
CLOSE_WRITE:CLOSE sess_jbcqd8c0ocj3k1jvcjou9mesei
DELETE sess_jbcqd8c0ocj3k1jvcjou9mesei
…

http://php.net/manual/en/function.session-regenerate-id.php warns not to destroy session immediately, i think there must be extra field 'invalid' saved in old session before logout/destroy/regenerate, and it has to be checked every time session in loaded