PHP Classes

Bug: session_regenerate_id(true)

Recommend this page to a friend!

      Secure Session  >  All threads  >  Bug: session_regenerate_id(true)  >  (Un) Subscribe thread alerts  
Subject:Bug: session_regenerate_id(true)
Summary:Problem with version_compare() if statment
Messages:2
Author:Seth Carter
Date:2010-07-24 15:08:48
Update:2010-07-24 15:48:58
 

  1. Bug: session_regenerate_id(true)   Reply   Report abuse  
Picture of Seth Carter Seth Carter - 2010-07-24 15:08:48
There's a problem with the RegenerateID method - The version_compare() check to allow the passing of the optional paramter for session_regenerate_id() is reversed:

version_compare('5.1.0', phpversion(), '>=')

Means that only users of version 5.1.0 can use session_regenerate_id(true) - E.g. if you're running 5.1.1 the statement will evaluate as false as 5.1.0 is NOT greater than or equal to 5.1.1, see http://www.php.net/version_compare

The statement should be written as:

version_compare(phpversion(), "5.1.0", ">=")

I have fixed this bug and added session lifetime and destroys methods in my own version of this class available at http://www.phpclasses.org/package/5947-PHP-Prevent-session-hijacking-and-fixation-attacks.html

  2. Re: Bug: session_regenerate_id(true)   Reply   Report abuse  
Picture of Vagharshak Tozalakyan Vagharshak Tozalakyan - 2010-07-24 15:48:58 - In reply to message 1 from Seth Carter
Thank you for your comment, that was fixed in class source...