Jump to content

delete old session file

christa

By christa
in PHP Coding Help

 Share

Recommended Posts

christa Member

christa

Posted
Posted

hi friends!!

in php > 5 i use "session_regenerate_id(TRUE)" in order to generate a new session file and delete old one.

In php 4.x the TRUE parameter doesn't exist: old files will be accumulated until the garbage collector will cleans all.

How can I delete old session file in php 4.x having regenerated the new one?

Link to comment
https://forums.phpfreaks.com/topic/228215-delete-old-session-file/
Share on other sites
redarrow Advanced Member

redarrow

Posted
Posted

But if not erased the old session files are still there, available and working (until garbage collector). So the attacker can use one of those to forge their own identity.

 

How can that happen, when each new page visitor, get's a new session for them only.

 

old session is gone / deleted.

 

not unless you got all session's  in a database? and database is insecure...

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

@php-real-degree,

 

Until garbage collection removes the old session data file, someone that has the old session id can visit a site and appear to be the actual visitor that had that session data file before the id was regenerated (assuming that the script is not doing anything to tie the session id to the actual visitor.)

christa Member

christa

Posted
  • Author
Posted

@php-real-degree,

 

Until garbage collection removes the old session data file, someone that has the old session id can visit a site and appear to be the actual visitor that had that session data file before the id was regenerated (assuming that the script is not doing anything to tie the session id to the actual visitor.)

exactly.

How can i "fix" this issue in php < 5.1 ???

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

I do not have access to that directory.

 

^^^ What makes you think that? If php can create the session data files in that folder, you can use php to remove the session data files in that folder (that are owned by the same user that your web server/php is running under.)

 

And as someone already mentioned, why are you still using php4? It's dead and gone.

christa Member

christa

Posted
  • Author
Posted

I do not have access to that directory.

 

^^^ What makes you think that? If php can create the session data files in that folder, you can use php to remove the session data files in that folder (that are owned by the same user that your web server/php is running under.)

 

And as someone already mentioned, why are you still using php4? It's dead and gone.

well... my app runs on a hosting shared, the server isn't mine.

I'm lost in this problem: can you post some code example please?

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted 
<?php
session_start(); // start the current/old session (loads the $_SESSION variables)
$base_name = '/sess_'; // the base name for the session data files
$old_sessionid = session_id(); // get the current/old id

$_SESSION['test'] = 123; // some test data

session_regenerate_id(); // generate a new id and a new data file

$new_sessionid = session_id(); // get the new session id to store in the user table for the current visitor

session_write_close(); // close (release) the old (and the new) session data file (php apparently doesn't close the old file when the id is regenerated)
unlink('c:' . ini_get('session.save_path') . $base_name . $old_sessionid); // delete the old session data file

session_start(); // restart the current/new session

// show the old/new session id
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";

print_r($_SESSION); // dump any session data
?>

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The $_SESSION variables still exist in the program but they are no longer part of the session data because the session data file has been written and closed.

 

Without that session_start(), if you modify/create any $_SESSION variable in your code after that point, the changes are local to that instance of your code and don't carry over to a new page request.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.