delete old session file

[christa]

hi friends!!

in php > 5 i use "session_regenerate_id(TRUE)" in order to generate a new session file and delete old one.

In php 4.x the TRUE parameter doesn't exist: old files will be accumulated until the garbage collector will cleans all.

How can I delete old session file in php 4.x having regenerated the new one?

[requinix]

Don't worry about it. The system will delete them automatically - there's no need for you to do so yourself.

With $delete_old_session=true you're just being nice and letting PHP know it can delete it immediately.

[christa]

But if not erased the old session files are still there, available and working (until garbage collector). So the attacker can use one of those to forge their own identity.

[redarrow]

But if not erased the old session files are still there, available and working (until garbage collector). So the attacker can use one of those to forge their own identity.

 

How can that happen, when each new page visitor, get's a new session for them only.

 

old session is gone / deleted.

 

not unless you got all session's  in a database? and database is insecure...

[PFMaBiSmAd]

The end of life of php4 was over 4 years ago. No one should still be using php4 at this point in time in the year 2011.

[PFMaBiSmAd]

@php-real-degree,

 

Until garbage collection removes the old session data file, someone that has the old session id can visit a site and appear to be the actual visitor that had that session data file before the id was regenerated (assuming that the script is not doing anything to tie the session id to the actual visitor.)

[christa]

@php-real-degree,

 

Until garbage collection removes the old session data file, someone that has the old session id can visit a site and appear to be the actual visitor that had that session data file before the id was regenerated (assuming that the script is not doing anything to tie the session id to the actual visitor.)

exactly.

How can i "fix" this issue in php < 5.1 ???

[PFMaBiSmAd]

Delete/unlink the file yourself. You have the session id and can make the filename from that.

[christa]

Delete/unlink the file yourself. You have the session id and can make the filename from that.

how can I do this operation? the files are stored in /tmp and I do not have access to that directory.

[PFMaBiSmAd]

I do not have access to that directory.

 

^^^ What makes you think that? If php can create the session data files in that folder, you can use php to remove the session data files in that folder (that are owned by the same user that your web server/php is running under.)

 

And as someone already mentioned, why are you still using php4? It's dead and gone.

[christa]

I do not have access to that directory.

 

^^^ What makes you think that? If php can create the session data files in that folder, you can use php to remove the session data files in that folder (that are owned by the same user that your web server/php is running under.)

 

And as someone already mentioned, why are you still using php4? It's dead and gone.

well... my app runs on a hosting shared, the server isn't mine.

I'm lost in this problem: can you post some code example please?

[PFMaBiSmAd]

<?php
session_start(); // start the current/old session (loads the $_SESSION variables)
$base_name = '/sess_'; // the base name for the session data files
$old_sessionid = session_id(); // get the current/old id

$_SESSION['test'] = 123; // some test data

session_regenerate_id(); // generate a new id and a new data file

$new_sessionid = session_id(); // get the new session id to store in the user table for the current visitor

session_write_close(); // close (release) the old (and the new) session data file (php apparently doesn't close the old file when the id is regenerated)
unlink('c:' . ini_get('session.save_path') . $base_name . $old_sessionid); // delete the old session data file

session_start(); // restart the current/new session

// show the old/new session id
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";

print_r($_SESSION); // dump any session data
?>

[christa]

thanks your code seems work fine!

 

Only one question: if i remove

 

session_start(); // restart the current/new session

 

the script continues to work without errors (notice nor warning): why in you opinion?

[PFMaBiSmAd]

The $_SESSION variables still exist in the program but they are no longer part of the session data because the session data file has been written and closed.

 

Without that session_start(), if you modify/create any $_SESSION variable in your code after that point, the changes are local to that instance of your code and don't carry over to a new page request.