Hello, internals. I hope you all are well.
The documentation page for the
session_regenerate_id1 function has
the following warning:
Currently, session_regenerate_id does not handle an unstable network
well, e.g. Mobile and WiFi network. Therefore, you may experience a
lost session by calling session_regenerate_id.
You should not destroy old session data immediately, but should use
destroy time-stamp and control access to old session ID. Otherwise,
concurrent access to page may result in inconsistent state, or you may
have lost session, or it may cause client(browser) side race condition
and may create many session ID needlessly. Immediate session data
deletion disables session hijack attack detection and prevention also.
Since the documentation states that this problem exists currently,
are there any plans to address it?
Thank you all in advance.