Hi all,
Current session_regenerate_id() has issues. I'll try to explain what these
are.
Issue 1: Old session data is not deleted.
session_regenerate_id() does not delete old session by default. It leaves
old session available. When attacker could steal session ID via
XSS/sniffing/etc, attacker can use session ID as valid ID as long as
application allows. No detection/prevention of security breach is possible
at session module level. This behavior is unacceptable for security reason.
Issue 2: Old session data cannot be deleted.
session_regenerate_id(TRUE) deletes old session data immediately. It's good
for security, but if there are multiple connections from a client to server
(e.g. AJAX/iframe/tabs/etc), valid connection may fail since it could be
using old session ID. Therefore, session_regenerate_id() does not delete
old session data. Immediate session data deletion is unacceptable for
reliable operation.
To solve these 2 issues, we need to delay old session data deletion. Delete
old session data 60 seconds later, for example.
If there is any other feasible solutions are welcome. I cannot think of any.
Regards,
P.S. Even with HTTP 2.0, old session data cannot be deleted immediately.
User may use multiple tabs.
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
Before I start working on revised session module improvement patch, I would
like to address session_regenerate_id() issue.
Current
session_regenerate_id()has issues. I'll try to explain what these
are.Issue 1: Old session data is not deleted.
session_regenerate_id()does not delete old session by default. It leaves
old session available. When attacker could steal session ID via
XSS/sniffing/etc, attacker can use session ID as valid ID as long as
application allows. No detection/prevention of security breach is possible
at session module level. This behavior is unacceptable for security reason.Issue 2: Old session data cannot be deleted.
session_regenerate_id(TRUE) deletes old session data immediately. It's
good for security, but if there are multiple connections from a client to
server (e.g. AJAX/iframe/tabs/etc), valid connection may fail since it
could be using old session ID. Therefore,session_regenerate_id()does not
delete old session data. Immediate session data deletion is unacceptable
for reliable operation.To solve these 2 issues, we need to delay old session data deletion.
Delete old session data 60 seconds later, for example.If there is any other feasible solutions are welcome. I cannot think of
any.
Current behavior (leaving active session that attackers may be abusing) is
far from optimal. I can only think of delayed deletion as the solution for
this.
Delayed session deletion implementation has 2 options. (Introducing
separate API has severe overheads. Thus, it's not an option)
- set and check time stamp in $_SESSION. (Keep save handler/serializer
compatibility) - set and check time stamp in raw session data. (Need save
handler/serializer modification)
This is "must be fixed" design problem for new release. IMHO.
I don't mind which new release, but this should be fixed someday.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
Current
session_regenerate_id()has issues. I'll try to explain what these
are.Issue 1: Old session data is not deleted.
session_regenerate_id()does not delete old session by default. It leaves
old session available. When attacker could steal session ID via
XSS/sniffing/etc, attacker can use session ID as valid ID as long as
application allows. No detection/prevention of security breach is possible
at session module level. This behavior is unacceptable for security reason.Issue 2: Old session data cannot be deleted.
session_regenerate_id(TRUE) deletes old session data immediately. It's good
for security, but if there are multiple connections from a client to server
(e.g. AJAX/iframe/tabs/etc), valid connection may fail since it could be
using old session ID. Therefore,session_regenerate_id()does not delete
old session data. Immediate session data deletion is unacceptable for
reliable operation.To solve these 2 issues, we need to delay old session data deletion. Delete
old session data 60 seconds later, for example.If there is any other feasible solutions are welcome. I cannot think of any.
Regards,
P.S. Even with HTTP 2.0, old session data cannot be deleted immediately.
User may use multiple tabs.
I'm not sure if we should handle that in PHP, application usually regenerates
session on important events (i.e. on user login/logout etc.), so any requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?
Regards,
Mateusz
Hi Mateusz,
On Fri, Mar 14, 2014 at 4:41 PM, Mateusz Kocielski shm@digitalsun.plwrote:
I'm not sure if we should handle that in PHP, application usually
regenerates
session on important events (i.e. on user login/logout etc.), so any
requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?
The issue is that session_regenerate_id(TRUE) is unreliable. It could cause
race condition since requests from client are not synchronized. There is no
way to force synchronized access resources to clients. Out of sync issue
would be more noticeable under mobile environment, networks with poor
congestion control and/or the same web app in multiple tabs.
Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one may do
session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] < time()) {
session_destroy();
trigger_error('Possible session hijack attack detected');
die('Possible session hijack attack detected');
}
// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] < time() + 600) {
$_SESSION['VALID_UNTIL'] = time() + 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] = time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}
Something like this should be done for reliable session_regenerate_id(). I
think not many apps do this.
Above example is allowing 60 seconds window for legitimate user and
attacker. If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.
Without code like above, both attacker and user may use the session as long
as web app allows. User has no chance to know if he/she is under session
hijack attack or not. Attacker feels safe to enjoy stolen session.
This should be session manager task and calling session_regenerate_id()
should be enough for PHP users, IMO.
I didn't include automatic session ID regeneration in the RFC, but it could
be handled by session manager also. It's just a matter of storing/checking
last regenerate time. If users are following security best practices, they
should renew session ID periodically even when HTTPS is used.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi Mateusz,
On Fri, Mar 14, 2014 at 4:41 PM, Mateusz Kocielski shm@digitalsun.plwrote:
I'm not sure if we should handle that in PHP, application usually
regenerates
session on important events (i.e. on user login/logout etc.), so any
requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?The issue is that session_regenerate_id(TRUE) is unreliable. It could cause
race condition since requests from client are not synchronized. There is no
way to force synchronized access resources to clients. Out of sync issue
would be more noticeable under mobile environment, networks with poor
congestion control and/or the same web app in multiple tabs.Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one may do
session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] <time()) {
session_destroy();
trigger_error('Possible session hijack attack detected');
die('Possible session hijack attack detected');
}// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] <time()+ 600) {
$_SESSION['VALID_UNTIL'] =time()+ 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] =time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}Something like this should be done for reliable
session_regenerate_id(). I
think not many apps do this.Above example is allowing 60 seconds window for legitimate user and
attacker. If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.Without code like above, both attacker and user may use the session as long
as web app allows. User has no chance to know if he/she is under session
hijack attack or not. Attacker feels safe to enjoy stolen session.This should be session manager task and calling
session_regenerate_id()
should be enough for PHP users, IMO.I didn't include automatic session ID regeneration in the RFC, but it could
be handled by session manager also. It's just a matter of storing/checking
last regenerate time. If users are following security best practices, they
should renew session ID periodically even when HTTPS is used.Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
For me, an arbitrary delay time is not a solution to this. The point
of this (unless I misunderstand) is to prevent session hijacking with
the old session ID, and simply reducing the the time window where this
can happen doesn't really solve anything, as I see it.
The only flow that makes sense to me (aside from simply nuking the old
session data immediately when the ID is regenerated) goes as follows:
- A request regenerates the session ID
- The old session data is somehow marked as read-only.
- All outstanding requests that the server has already received that
are blocked waiting for a lock on the session are able to access the
old data on a read-only basis. - When the last one of these requests has been processed, destroy the
old session data.
I realise this is likely impractical to implement in such a way that
it works reliably (or even at all) with every SAPI.
Hence I believe the only practical solution here is simply to
educate users and encourage the use of session_regenerate_id(TRUE) in
the documentation.
Hi Chris,
For me, an arbitrary delay time is not a solution to this. The point
of this (unless I misunderstand) is to prevent session hijacking with
the old session ID, and simply reducing the the time window where this
can happen doesn't really solve anything, as I see it.The only flow that makes sense to me (aside from simply nuking the old
session data immediately when the ID is regenerated) goes as follows:
- A request regenerates the session ID
- The old session data is somehow marked as read-only.
- All outstanding requests that the server has already received that
are blocked waiting for a lock on the session are able to access the
old data on a read-only basis.- When the last one of these requests has been processed, destroy the
old session data.I realise this is likely impractical to implement in such a way that
it works reliably (or even at all) with every SAPI.
Indeed, there is no way to enforce serialized access to resources...
Hence I believe the only practical solution here is simply to
educate users and encourage the use of session_regenerate_id(TRUE) in
the documentation.
If session_regenerate_id(TRUE) is reliable, then it's not an issue.
However, session_regenerate_id(TRUE) is unreliable.
Apps that suddenly logout would not be an option for almost all developers.
Feasible solution is to allow some window of risks. I agree that there is
risk, but the risk is reduced a lot with this. The window is configurable,
too. Current risk enforced by default (i.e. session_regenerate_id(FALSE))
is too much to accept.
If session_regenerate_id(TRUE) could be used for an app, it's still
possible to delete old data immediately.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hello,
On Fri, Mar 14, 2014 at 4:41 PM, Mateusz Kocielski shm@digitalsun.plwrote:
I'm not sure if we should handle that in PHP, application usually
regenerates
session on important events (i.e. on user login/logout etc.), so any
requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?The issue is that session_regenerate_id(TRUE) is unreliable. It could cause
race condition since requests from client are not synchronized. There is no
way to force synchronized access resources to clients. Out of sync issue
would be more noticeable under mobile environment, networks with poor
congestion control and/or the same web app in multiple tabs.
I don't see why we should be so worried about it. Answer from server could not
be delivered, thousand things can simply go wrong, all those "exceptions"
should be handled by the application.
Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one may do
session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] <time()) {
session_destroy();
trigger_error('Possible session hijack attack detected');
die('Possible session hijack attack detected');
}// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] <time()+ 600) {
$_SESSION['VALID_UNTIL'] =time()+ 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] =time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}Something like this should be done for reliable
session_regenerate_id(). I
think not many apps do this.Above example is allowing 60 seconds window for legitimate user and
attacker. If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.Without code like above, both attacker and user may use the session as long
as web app allows. User has no chance to know if he/she is under session
hijack attack or not. Attacker feels safe to enjoy stolen session.
Every pot has two handles, user has no chance to know is he/she is under
session attack, but also server doesn't know who's the attacker and who's the
victim. What if we'll regenerate session upon attacker's request?
This should be session manager task and calling
session_regenerate_id()
should be enough for PHP users, IMO.
I see your arguments valid, but I feel that it's sweeping under the rug the
real problem, which is handling async requests properly.
I didn't include automatic session ID regeneration in the RFC, but it could
be handled by session manager also. It's just a matter of storing/checking
last regenerate time. If users are following security best practices, they
should renew session ID periodically even when HTTPS is used.
Is periodically renewing session ID really a big benefit? If an attacker can
obtain session id from victim once, then with probability ~1 session can be
stolen again.
BTW, don't get me wrong, I'm not against making PHP more secure, I just want
to keep things as simple as possible (which is usually good for security too).
Regards,
Mateusz Kocielski
On Fri, Mar 14, 2014 at 8:03 PM, Mateusz Kocielski shm@digitalsun.plwrote:
On Fri, Mar 14, 2014 at 4:41 PM, Mateusz Kocielski <shm@digitalsun.pl
wrote:I'm not sure if we should handle that in PHP, application usually
regenerates
session on important events (i.e. on user login/logout etc.), so any
requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?The issue is that session_regenerate_id(TRUE) is unreliable. It could
cause
race condition since requests from client are not synchronized. There is
no
way to force synchronized access resources to clients. Out of sync issue
would be more noticeable under mobile environment, networks with poor
congestion control and/or the same web app in multiple tabs.I don't see why we should be so worried about it. Answer from server could
not
be delivered, thousand things can simply go wrong, all those "exceptions"
should be handled by the application.
Application means client side application?
Suppose you have gallery application that only shows user's photo. Every
request
for photo should use authenticated session. If session_regenerate_id(TRUE)
is called
during page rendering, what happens?
Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one
may do
session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] <
time()) {
session_destroy();
trigger_error('Possible session hijack attack detected');
die('Possible session hijack attack detected');
}// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] <time()+ 600) {
$_SESSION['VALID_UNTIL'] =time()+ 60; // Shorter is better, but
rather
large value is set for lost radio/hand over/etc. Old session is allowed
to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] =time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with
old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}Something like this should be done for reliable
session_regenerate_id().
I
think not many apps do this.Above example is allowing 60 seconds window for legitimate user and
attacker. If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.Without code like above, both attacker and user may use the session as
long
as web app allows. User has no chance to know if he/she is under session
hijack attack or not. Attacker feels safe to enjoy stolen session.Every pot has two handles, user has no chance to know is he/she is under
session attack, but also server doesn't know who's the attacker and who's
the
victim. What if we'll regenerate session upon attacker's request?
It's explained in previous mail
Above example is allowing 60 seconds window for legitimate user and
attacker. If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.
Currently, both user and attacker can use session.
This should be session manager task and calling
session_regenerate_id()
should be enough for PHP users, IMO.I see your arguments valid, but I feel that it's sweeping under the rug the
real problem, which is handling async requests properly.
If there is feasible way at session manager level...
In user land, there is a way to work round. Developer may implement auto
login feature properly and
get authentication async way. If auto login is implemented, request with
lost session may acquires
proper authenticated session via auto login feature.
Properly implemented auto login
- Must limit exposure of auto login key (i.e. use path parameter for
cookie) - Must have long enough random key (i.e. use /dev/urandom and SHA-256 or
better) - Must have key usable only once (i.e. Never allow to use the same key
multiple times)
There could be race condition for auto login key, but client may try to
auto login several times.
This could be done with AJAX request. This does not work for simple image
request/etc, though.
I didn't include automatic session ID regeneration in the RFC, but it
couldbe handled by session manager also. It's just a matter of
storing/checking
last regenerate time. If users are following security best practices,
they
should renew session ID periodically even when HTTPS is used.Is periodically renewing session ID really a big benefit? If an attacker
can
obtain session id from victim once, then with probability ~1 session can be
stolen again.
Of course attacker may, but
If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.
This is much better than current. Risk is mitigated rather than left open.
BTW, almost all security measures are mitigation.
BTW, don't get me wrong, I'm not against making PHP more secure, I just want
to keep things as simple as possible (which is usually good for security
too).
I agree.
Session manager has to do more, but user code becomes simpler, no need to
use AJAX nor time stamp management.
If users need more strict HTTP session management like I described, they
may implement it by themselves.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Application means client side application?
Suppose you have gallery application that only shows user's photo. Every
request
for photo should use authenticated session. If session_regenerate_id(TRUE)
is called
during page rendering, what happens?
By application I meant client side application. I don't believe that
periodically regenerating session introduces better security. Regarding the
case you provide, if session_regenerate_id(TRUE) is used in the page which
contains photos, then all requests for images will contain new session
cookie. (If browser requests for photos, then body of the document was
received, thus also headers with new cookie was received). If
session_regenerate_id() is used elsewhere, then I think that it's not our
problem. However, we should update our documentation to note the problem.
BTW,
https://bugs.php.net/search.php?cmd=display&search_for=session_regenerate_id
- it seems that users also don't see this issue as a problem.
Of course attacker may, but
If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.This is much better than current. Risk is mitigated rather than left open.
BTW, almost all security measures are mitigation.
I don't see how risk is mitigated in that case. User will lose session (if it
was regenerated by attacker) which probably result in logout, I don't believe
that typical user will be alarmed. As a result we'll get an attacker and user
using distinct sessions - how many applications already deny using two
distinct sessions for one account?
Regards,
Mateusz Kocielski
Hi Mateusz,
On Sun, Mar 16, 2014 at 5:53 PM, Mateusz Kocielski shm@digitalsun.plwrote:
Application means client side application?
Suppose you have gallery application that only shows user's photo. Every
request
for photo should use authenticated session. If
session_regenerate_id(TRUE)
is called
during page rendering, what happens?By application I meant client side application. I don't believe that
periodically regenerating session introduces better security. Regarding the
Stealing session ID is easy even with HTTPS. Therefore, changing session ID
is
the security best practice to mitigate risk.
case you provide, if session_regenerate_id(TRUE) is used in the page which
contains photos, then all requests for images will contain new session
cookie. (If browser requests for photos, then body of the document was
received, thus also headers with new cookie was received). If
session_regenerate_id()is used elsewhere, then I think that it's not our
problem.
It's session manager problem. Currently, session module allows to exploit
stolen session
as long as app allows even when user follows security best practice. i.e.
call session_regenerate_id()
periodically. I think almost all apps do not have proper mitigation.
There must be mitigation and it could be done with deletion time stamp by
session manager.
It's a session manager design issue. Session manager should provide
mitigation rather than leaving
it to users. IMO.
I copied following lines from previous my mail just in case you missed it.
Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one may do
session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] < time()) {
session_destroy();
trigger_error('Possible session hijack attack detected');
die('Possible session hijack attack detected');
}
// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] < time() + 600) {
$_SESSION['VALID_UNTIL'] = time() + 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] = time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}
However, we should update our documentation to note the problem.
BTW,
https://bugs.php.net/search.php?cmd=display&search_for=session_regenerate_id
- it seems that users also don't see this issue as a problem.
Two of them are mine ;)
Of course attacker may, but
If session is hijacked,
- User could know attack if session ID is regenerated by attacker.
- Attacker could know there is hijack protection if session ID is
regenerated by user.This is much better than current. Risk is mitigated rather than left
open.
BTW, almost all security measures are mitigation.I don't see how risk is mitigated in that case. User will lose session (if
it
was regenerated by attacker) which probably result in logout, I don't
believe
that typical user will be alarmed.
Session manager can raise error for invalid access. Programmer may catch
the
error and warn user/attacker if users are cautious.
As a result we'll get an attacker and user
using distinct sessions - how many applications already deny using two
distinct sessions for one account?
This one is user (PHP developer) issue since session manager does not know
about users. Web apps may allow or disallow multiple sessions. It's
developer's choice.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] <time()+ 600) {
$_SESSION['VALID_UNTIL'] =time()+ 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
session_commit(); // Need to save above data in old session.
session_start();
$_SESSION['LAST_REGENERATE'] =time(); // Update regenerate time here.
session_regenerate_id(); // New session ID and old session data with old
session ID is left
unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}
BTW,
$_SESSION['LAST_REGENERATE'] = time(); // Update regenerate time here.
This is bad code for new session save handler. This should be
$_SESSION['NEXT_REGENERATE'] = time()+600; // Update regenerate time here.
This way, unneeded session data writes can be avoided.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
Current
session_regenerate_id()has issues. I'll try to explain what
these are.Issue 1: Old session data is not deleted.
session_regenerate_id()does not delete old session by default. It leaves
old session available. When attacker could steal session ID via
XSS/sniffing/etc, attacker can use session ID as valid ID as long as
application allows. No detection/prevention of security breach is possible
at session module level. This behavior is unacceptable for security reason.Issue 2: Old session data cannot be deleted.
session_regenerate_id(TRUE) deletes old session data immediately. It's
good for security, but if there are multiple connections from a client to
server (e.g. AJAX/iframe/tabs/etc), valid connection may fail since it
could be using old session ID. Therefore,session_regenerate_id()does
not delete old session data. Immediate session data deletion is
unacceptable for reliable operation.To solve these 2 issues, we need to delay old session data deletion.
Delete old session data 60 seconds later, for example.If there is any other feasible solutions are welcome. I cannot think of
any.
I've update old RFC related to this.
https://wiki.php.net/rfc/session_regenerate_id
I hope I've explained well enough why delayed deletion is needed.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net