Session: do not regenerate session ID when is newly created

nette · Mar 13, 2019 · 3d75d11 · 3d75d11
1 parent d9405cc
commit 3d75d11
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 8 deletions.
diff --git a/src/Http/Session.php b/src/Http/Session.php
@@ -75,7 +75,7 @@ public function start()
 
 		$this->configure($this->options);
 
-		if (!session_id()) {
+		if (!session_id()) { // session is started for first time
 			$id = $this->request->getCookie(session_name());
 			if (is_string($id) && preg_match('#^[0-9a-zA-Z,-]{22,256}\z#i', $id)) {
 				session_id($id);
@@ -113,7 +113,9 @@ public function start()
 		// regenerate empty session
 		if (empty($nf['Time'])) {
 			$nf['Time'] = time();
-			$this->regenerated = true;
+			if (!empty($id)) { // ensures that the session was created in strict mode (see use_strict_mode)
+				$this->regenerateId();
+			}
 		}
 
 		// process meta metadata
@@ -135,11 +137,6 @@ public function start()
 			}
 		}
 
-		if ($this->regenerated) {
-			$this->regenerated = false;
-			$this->regenerateId();
-		}
-
 		register_shutdown_function([$this, 'clean']);
 	}
 

diff --git a/tests/Http/Session.regenerateId().phpt b/tests/Http/Session.regenerateId().phpt
@@ -23,7 +23,7 @@ $ref = 10;
 
 $session->regenerateId();
 $newId = $session->getId();
-Assert::same($newId, $oldId); // new session is regenerated by $session->start()
+Assert::notSame($newId, $oldId);
 Assert::true(is_file($path . $newId));
 
 $ref = 20;