[imp] Fix for broken SQL session handlers since IMP 3.2.2

Michael Schout mschout at gkg.net
Thu Aug 12 15:07:13 PDT 2004 

On Thu, 12 Aug 2004, Chuck Hagenbuch wrote:

> Quoting Michael Schout <mschout at gkg.net>:
>
> > Ok,  setupSessionHandler() is getting called, and it appears to be
> > working properly.
>
> Okay.
>
> > My understanding of what getCleanSession() is doing, is that it is
> > trying to throw out the old session id, and generate a new session id.
> > In other words, after login, the old session data should get removed,
> > and a NEW session id should get used (and the new session data should go
> > there).  Is this a proper assesment of whats that chunk of code is
> > supposed to be doing?
>
> Yes, it should force a new set of session data on login.

Ok.  I have figured out why the session id is not changing.  This is
looking more and more like a horde problem, and not an IMP problem.

Apparently the reason that getCleanSession() does not succeed in
changing the session id is that it calls:

@session_destroy();

before calling session_regenerate_id()

If I remove the call to @destroy_session() inside getCleanSession(),
then the session_regenerate_id() call succeeds and the client gets
assigned a new session_id when they submit the login form.

The old session data still gets deleted from the database, so I dont
think the session_destroy() call is necessary inside getCleanSession().

So here are the changes I have made to getCleanSession() in Horde.php:

-------------
     {
         Horde::logMessage("clean session", __FILE__, __LINE__);
         Auth::clearAuth();
-        @session_destroy();

         // Make sure to force a completely new session ID.
         if (version_compare(phpversion(), '4.3.3') !== -1) {
+            $old_sid = session_id();
             session_regenerate_id();
+            $new_sid = session_id();
+            Horde::logMessage("old sid: $old_sid new sid: $new_sid", __FILE__, __LINE__);
         } else {
             if (function_exists('posix_getpid')) {
                 $new_session_id = md5(microtime() . posix_getpid());
             } else {
-------------

If I put the session_destroy() call back in, then the session_id() calls
return nothing, and session_regenerate_id() returns false.

So that is the reason that the session_id change fails.  You apparently
can not call session_regenerate_id() after you have called
session_destroy().

Without the session_destroy() call, I can log in successfully, except I
get taken to the Horde page instead of the IMP page.   Havent figured
that out yet, but at least its progress.

I guess I should take this over to the Horde list since the problem
seems to be a Horde issue.

Thanks for pointing me in the right direction on this.

Regards,
Michael Schout

More information about the imp mailing list