Open vswarte opened 4 years ago
Anything I can do to help this along? Were you planning on just adding the extra call open
and some unit tests to assert it actually opens the session?
If so I can def give it a shot!
It would definitely be very helpful to start with some unit tests. Ideally without a fix first to ensure they fail.
https://github.com/vswarte/yii2/commit/1fcb77d574d82041afec4321754f83f7b36e692c
This test illustrates the issue, $before
and $after
are identical.
I think there are two ways to go at this:
1) We can ensure the session is always started when calling regenerateId
2) A more local-to-the-issue fix would involve adding an open
call to User
's switchIdentity
method.
Option 1 seems to me as the most logical as other calls eg. remove
do implicitly open the session.
Option 2 would require me to write a more involving test :-)
Been a busy weeks' end and weekend, will get another PR illustrating the issue from the authentication side-of-things down somewhere this week.
@vswarte I've moved it to next release. Hope you'll find some time to dig more into it.
What steps will reproduce the problem?
Simply logging in. Our application will not generate a new session ID.
What is the expected result?
Ideally, the
switchIdentity
implementation would ensure that the session is opened for the request before attempting to change the session ID.What do you get instead?
regenerateID
is being called before theopen
method is called to open the session. This only happens in non-development environments as our debug tooling seems to start the session before control gets handed to the controller.Additional info
https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L651-L656 When
regenerateID
is called, the session is still closed for the request causing it to not generate a new session ID. Do note that a session was created by previous requests, it is simply not set for this specific request yet. When it callsremove
2 lines below the session is then implicitly opened.I'm unsure whether or not this is intended behavior, but the docblocks for the base implementation of
regenerateID
state the following.( https://github.com/yiisoft/yii2/blob/master/framework/web/Session.php#L288 ) So the omission of a corresponding
open
call inswitchIdentity
seems like an oversight to me.