Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72584
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90750 invoked from network); 14 Feb 2014 08:22:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Feb 2014 08:22:27 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.67 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.67 smtp67.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.67] ([108.166.43.67:38249] helo=smtp67.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FE/51-12906-242DDF25 for <internals@lists.php.net>; Fri, 14 Feb 2014 03:22:27 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 494EB14845D;
	Fri, 14 Feb 2014 03:22:24 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp1.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id DE43C148364;
	Fri, 14 Feb 2014 03:22:23 -0500 (EST)
Message-ID: <52FDD23F.9010808@sugarcrm.com>
Date: Fri, 14 Feb 2014 00:22:23 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXYXuQ6hhbzTMne7SgErFfKfJ01w5RquAgA4GBAAzN7hAA@mail.gmail.com> <CAGa2bXauh+PoSNvFf38eqQkvQ6y_9cgga2DENmV35a9Ncs2Dtw@mail.gmail.com>
In-Reply-To: <CAGa2bXauh+PoSNvFf38eqQkvQ6y_9cgga2DENmV35a9Ncs2Dtw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [VOTE] RFC: Introduce session_start() options - read_only, unsafe_lock,
 lazy_write and lazy_destroy
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> When browser accesses to the personal page, application checks
> authentication status and returns HTML page for it if user's session is
> authenticated. Browser tries to load images which require authenticated
> session. If session_regenerate_id() is called (timeout, etc) while
> loading images, what happens? If old session data is deleted, other
> images cannot be loaded because requests are done by old session ID.
> This scenario valid since current browser uses multiple connections to
> load resources of a web page. 

If anything was called that makes old session invalid, any further
access to this session should result in failure. How the app does it,
does not matter really. Doing otherwise would be a huge security problem
- you removed the session, but you still can access it. Timing does not
matter - milliseconds of unauthorized access may be enough to compromise
an account. So I don't see any use in "delete, but only with delay"
option - if the data still valid, no reason to delete, if not valid -
should be deleted immediately.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227