Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120760
Return-Path: <carlosv775@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 7955 invoked from network); 7 Jul 2023 00:32:51 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jul 2023 00:32:51 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2A0BD1804B0
	for <internals@lists.php.net>; Thu,  6 Jul 2023 17:32:51 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <carlosv775@gmail.com>
Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  6 Jul 2023 17:32:50 -0700 (PDT)
Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-4035e9131e5so6699521cf.1
        for <internals@lists.php.net>; Thu, 06 Jul 2023 17:32:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1688689970; x=1691281970;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=h+EpY+mwRfnwLWwlnD2IM5rVjlx2AjgGS5nbKrAkF1o=;
        b=XhWDUu8n0I8/HZMHGCCXBALRtk1v3IWrequa8fUytCJHK6OyWOWwEUQNIPkKP13ng8
         Gk6ZrAwxCEmZscDab3girl3SkukzUhddtbo8IGQDtNLXLCD5+yaxXTj+DkEkyGY0a6rw
         7NvoP30ghO5MP8f+KA+ZaVe+tkm9Rjo1ytNNrT+gIwoE7xF77oJbIk1SDPSU5oyExTZw
         J0qOhMg11q3LHuxRG5rbc4fFG+MsYKUFVY+EEDuXS1su9lyKk3ZamZoPyZiqmsaYigAZ
         Q0jGQNtAoe5svHDekpMJfsf41xDJEiq473skmhQbdTMXKWuweqrSMFPyyYw/DQ5SoaI2
         EL1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1688689970; x=1691281970;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=h+EpY+mwRfnwLWwlnD2IM5rVjlx2AjgGS5nbKrAkF1o=;
        b=L3FZGVuA1uy+91VvuGNQudNYu8EGeYpQ8GBNKe3ybP8nGVZ/89Z0I8xRXtTeIVHzyC
         do8eqYWsvOrIjWCvb1sMLb28msFEkLwNkTZ6t8PZoHXV7dqTbKgbIlh6KolIvYv6NRVR
         dggyVkCpYvtokuEsjyjERbqJhfb9AfPJvlfW0HjKt7VPnmf6bJaOyuegyYFTcQ1D1SFo
         ICZhcxWt47kqNRfCC92eHkIMKxdnVUv2JmpaLJHPQC6a4xilM9MOI7fMwDsN2zNeyHWD
         oHgU6/+HVBpnaTdZLjUq7khIE9L31HctPETXSg0vIEXDaCnE1K13TgTXDSr4A2P6Kp+9
         hhLw==
X-Gm-Message-State: ABy/qLao4ObDz8tp4qqthB//Ic4iTWTEGhxLuXKsGq8BS7XfnzT05Y1k
	UI4HhRA8vOznPlC5ijcd4nxjAif34x2kUjl3/9b44TwluSTh7Q==
X-Google-Smtp-Source: APBJJlHjHiHW/PccqfMstRGj73p5EB6EDB7j6gHezB+0dNseap0JLGwyrSMGTZ3F00/rLsSO3jlcwHm8+DP0J54AaIQ=
X-Received: by 2002:a05:622a:cd:b0:402:8eec:e8b0 with SMTP id
 p13-20020a05622a00cd00b004028eece8b0mr4803176qtw.7.1688689969693; Thu, 06 Jul
 2023 17:32:49 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 6 Jul 2023 21:32:39 -0300
Message-ID: <CAEwRQKb1_WQBKR8GJJVrPL3o3QLo=JXNemFMovGY0yFyLdUk-g@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset="UTF-8"
Subject: session_regenerate_id concurrency problems
From: carlosv775@gmail.com (Vinicius Dias)

Hello, internals. I hope you all are well.

The documentation page for the `session_regenerate_id`[1] function has
the following warning:

> **Warning**
Currently, session_regenerate_id does not handle an unstable network
well, e.g. Mobile and WiFi network. Therefore, you may experience a
lost session by calling session_regenerate_id.
You should not destroy old session data immediately, but should use
destroy time-stamp and control access to old session ID. Otherwise,
concurrent access to page may result in inconsistent state, or you may
have lost session, or it may cause client(browser) side race condition
and may create many session ID needlessly. Immediate session data
deletion disables session hijack attack detection and prevention also.

Since the documentation states that this problem exists **currently**,
are there any plans to address it?

Thank you all in advance.

[1]: https://www.php.net/session_regenerate_id