session_regenerate_id() old data not copied to new session ID

Ahad, 11 Mei 2014, 1:36 am0

In PHP I’m using MySQL with Memcached backend for storing session information. Every few minutes I need to regenerate the session ID to prevent replay attack. However when using session_regenerate_id(true), sometimes session data from old ID are not copied to the new regenerated ID. Therefore everytime when the session regenerated, I’ll be logged out if I’m currently logged in to the web app.

To fix it, I need to regenerate the ID without deleting the old data, flush the session data into database, stop then restart the session with new ID

session_regenerate_id();
$new_sess_id = session_id();

// this enable the backend to write the session data to backend storage
$this->data_changed = true; 



// this will call the write() function to save session data to backend
session_write_close(); 

session_id($new_sess_id);


session_start();