Bug Report #1699
Database session driver leaves old sessions sitting around in rare cases
| Status: | Closed | Start date: | 05/25/2009 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: |  Chris Bandy |
% Done: | 0% |
|
| Category: | Libraries:Session | |||
| Target version: | 2.4 | |||
| Resolution: | invalid | Points: |
Description
I noticed that my session table was getting a lot more session rows created than should be and investigated the issue (I'm just anal like that I guess). It appears that a rare combination of session ID regeneration and session destroying leads to sessions not being deleted from the database.
The destroy() function uses the current session ID (as far as PHP is concerned) as the session value to delete, but if regenerate() was called on the current session, the session ID will now be different. So if destroy() is called after regenerate() has been called, it uses the new session ID as the key instead of the session ID that existed before the regenerate() call.
The solution is to simply alter the destroy() method to use $this->session_id, which contains the session ID that existed before the regenerate() call.
History
Updated by Jeremy Bush almost 3 years ago
- Status changed from New to Assigned
- Assignee set to Chris Bandy
- Priority changed from Normal to Low
- Target version set to 2.4
- 11 set to 2.3.4
Updated by Kiall Mac Innes over 2 years ago
- Status changed from Assigned to Closed
- Resolution set to invalid
From going through all the code - This seems to be only possible if garbage collection is disabled (which is a bad idea when using any session driver - including the native "driver"). The table will grow to a point, but GC will keep any surplus rows in check.