Hi all,
This PR disables recursive session save handler function calls (any
multiple/invalid session save handler function calls)
https://github.com/php/php-src/pull/2196
This patch disables many kinds of save handler function abuses and
user script bugs. We have/had many bugs related to this patch,
including number of save handler function related crashes. It also
allows to call session_create_id() in user save handler function.
Currently, SID creation save handler assumes to generate session ID
from scratch. With this patch, users can use session_create_id() to
generate new ID of their own. e.g. User ID prefixed session ID, $newid
= $user_id.session_create_id() in SID creation save handler.
I would like to merge this fix from 7.1, at least required module
global var definition so that it can be fixed later.
diff --git a/ext/session/php_session.h b/ext/session/php_session.h
index da5e485..775527c 100644
--- a/ext/session/php_session.h
+++ b/ext/session/php_session.h
@@ -205,6 +205,7 @@ typedef struct _php_ps_globals {
zend_bool use_strict_mode; /* whether or not PHP accepts
unknown session ids /
zend_bool lazy_write; / omit session write when it is possible */
zend_string session_vars; / serialized original session data */
-
zend_bool in_save_handler; /* state that if session is in save
handler or not */
} php_ps_globals;
Any comments?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net