Hi Everyone,
I hope this helps you too, I noticed that opening up a pages quickly (via say middle clicking a link to open tabs) in Zend Framework when you have a valid session can cause your session to prematurely expire.
So anyway, I found the problem to be caused [inpart] by PHP’s session_regenerate_id() which is used by Zend Framework to stop session fixation security issues, unfortunately I have to disable this line in Zend/Session.php as it’s causing me problems.
I have read some comments that people think it’s the browser not picking up the new session id for whatever reason?! (although I don’t have the time to look into it further yet).
As of Zend Framework 1.7.0 it’s Zend/Session.php:279
session_regenerate_id(true);
Commenting out this line doesn’t seem to have any ill effects, of course you could alternatively use:
session_regenerate_id(false);
But with a public website you would find yourself quickly with a lot of stale session files and on top of that requests that have the expired session issue would potentially have old session data information which would make for even more baffling debugging type situations!
I understand the security implications of a static session id (session hijacking etc.), and have shortened the session lifetime accordingly as a result.
In the world of ever-increasing AJAX requests, I can imagine more and more people will also have problems with this.
If I get some time to look into this further I will of course post my findings.
Thanks,
– Dan.
0 Responses to “Zend Framework: Sessions Expire With Quick Successive HTTP Requests”