This is an archived copy of the forum for reference purposes

New session file on every request

posted by marcus 10 years ago

Hello again.

I just noticed through firebug that fSession regenerates the session id on every request thus creating a new session file every time.

I don't know if this actually is an issue but wanted to ask about it just to be sure. My authorization routines checks for a user token in the session, tries to create a user object based on it and if it succeeds it runs fAuthorization::setUserAuthLevel() with whatever level the user has.

I do this on every request, is this the way it's meant to be used?

Kindly, Marcus

Right, setting the user auth level or ACLs or user token causes the session id to be regenerated to prevent issues with session fixation.

You should only call fAuthorization::setUserAuthLevel() when a user first logs in. Since it is in the session it will persist until they log out.

posted by wbond 10 years ago

Yes I noticed that when I actually read the code. I was being stupid.

posted by marcus 10 years ago

What would be the proper solution to manage a session cart while the user is not logged in. Then in the session process they're given the chance to log in. What is the proper way to get the cart (session) to transfer to the new session id after login and new credentials are picked up?

posted by gabriel u. 9 years ago

To manage a cart when a user is not logged in, simply use fSession. When you use fAuthorization to log someone in, a new session id is generated, but all of the old data is automatically moved to the new session id.

posted by wbond 9 years ago