Piwik_Session::regenerateId destroys the session #2277
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
worksforme
The issue cannot be reproduced and things work as intended.
Milestone
Comments
|
would you please be able to submit a patch (as in http://piwik.org/participate/development-process/#toc-how-to-submit-a-patch ) and confirm you have tested the change? thx |
|
You're misreading the ZF docs. If we call regenerateId() in the bootstrap for every request, thenyes, we would call rememberMe(). However, for performance, we don't. Thus, we call regenerateId() upon login since there is a change in security context. Calling rememberMe() would introduce session fixation and would be considered security bug. |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The method Zend_Session::regenerateId actually destroys the session, unlike the PHP native session_regenerate_id which optionally keeps the session data.
Because Piwik_Session is inherited from Zend_Session, Piwik_Session::regenerateId clears out session vars, affecting a previously open session by other application (given that same cookie name is used in Piwik and there, to share login and allow users to login just one time for all apps)
According to Zend documentations,
http://framework.zend.com/manual/en/zend.session.global_session_management.html
"If a user has successfully logged into your website, use rememberMe() instead of regenerateId()."
This way it doesn't hurt other applications' session.
File: [plugins/Login/Login.php]
Class: Piwik_Login
Method: Piwik_Session::regenerateId();
Line: #138
The text was updated successfully, but these errors were encountered: