Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120764
Return-Path: <carlosv775@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78998 invoked from network); 7 Jul 2023 14:52:53 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jul 2023 14:52:53 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A28AF1804FF
	for <internals@lists.php.net>; Fri,  7 Jul 2023 07:52:49 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <carlosv775@gmail.com>
Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  7 Jul 2023 07:52:49 -0700 (PDT)
Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-57722942374so24502787b3.1
        for <internals@lists.php.net>; Fri, 07 Jul 2023 07:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1688741568; x=1691333568;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=n2KtrmjkagrDAU5kXeBAkvJZ6tzCeAaCDIDlKCk/buw=;
        b=Ktth5se831q1FzTik/dectcl1gFbvr3tT6rOOYXPf/wblbQei8a/tXGkLgbEV19yo3
         lDfrD89YEy9c94duTF3BkZom5wzx4SIGRidVuWVpMmiIerBhYz76/w8WO75fHM+OLPOB
         wGxBRGw88MDvKt61je4K79bC92uoETNel9O4gaTbuybVZDTkqos9ZquZlRM4xQ/N3C7b
         wQC1J5p2tSOa8JtyHE0O28SyuzHnoQX2cng2UrlMipK8uDifomxT1aZahS6vk8HXL/O7
         rLlHQe64tzAwgmShihq6JIQsQFm31kJ4h0208MvhlBD7djCnqwHErcX32jymeSz3Kajn
         ztVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1688741568; x=1691333568;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=n2KtrmjkagrDAU5kXeBAkvJZ6tzCeAaCDIDlKCk/buw=;
        b=UY8mWJX+SdS5EdCASZ7GvMwPBN44yECIaswWSPGzLG8UFKBRdYH0j4iSo4j9Ag9PVT
         vyxtBK0oDMlWzjJGs5lJLvCJaojuL5f2IT6OgMZ5J9bXM2x7N4AGm0H1fGtWX8MYiP8L
         J+yDAht/yXl7nwxwy0dIy8cyyk9XMD+CZR4wE9Tmt4i0bosSCW1KAXwGrR3266+XY7nG
         1/l26UA3UIY9YPOdvkxO3Cf3h+Em72PppiTtpUL7j7Kgw6N45ZgaBN4b2odgK2hIAZGH
         4LbuazqAIDpbaJ1lJD4OOxodkrhVXjCsLqP/AOc8ephfuElccjdHfg+z0+7WJvFXGSjc
         mSYA==
X-Gm-Message-State: ABy/qLbA9Puheo5QEG3A3pejEB3LHTGXisNwd8JLW1pCt8S1a156N7pP
	R9c0dqaRueBi9AGUkbcAPnYtQ2Xc/y9eFUIlw6qx8iybGfI=
X-Google-Smtp-Source: APBJJlGU1vSWBLzwpKqR4Nrh0IxmRl88WogH7it8MGuJlwhMAGed+Sb90/ZoJLni0H3iOUUe0qjDF9DaqMGDSoWNY28=
X-Received: by 2002:a81:7189:0:b0:579:f5c2:b16e with SMTP id
 m131-20020a817189000000b00579f5c2b16emr5496457ywc.31.1688741568069; Fri, 07
 Jul 2023 07:52:48 -0700 (PDT)
MIME-Version: 1.0
Date: Fri, 7 Jul 2023 11:52:37 -0300
Message-ID: <CAEwRQKa4=AYbpPrkXoc_JNB_5dJY8ipuGM22VYGEL7d+k3jp3w@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary="0000000000004844d405ffe6c956"
Subject: session_regenerate_id concurrency problems
From: carlosv775@gmail.com (Vinicius Dias)

--0000000000004844d405ffe6c956
Content-Type: text/plain; charset="UTF-8"

Hello, internals. I hope you all are well.

The documentation page for the `session_regenerate_id`[1] function has
the following warning:

> **Warning**
Currently, session_regenerate_id does not handle an unstable network
well, e.g. Mobile and WiFi network. Therefore, you may experience a
lost session by calling session_regenerate_id.
You should not destroy old session data immediately, but should use
destroy time-stamp and control access to old session ID. Otherwise,
concurrent access to page may result in inconsistent state, or you may
have lost session, or it may cause client(browser) side race condition
and may create many session ID needlessly. Immediate session data
deletion disables session hijack attack detection and prevention also.

Since the documentation states that this problem exists **currently**,
are there any plans to address it?

Thank you all in advance.

[1]: https://www.php.net/session_regenerate_id

--0000000000004844d405ffe6c956--