I am using session_set_save_handler to save session in database instead of file. when using session_regenerate_id() it create the new session id but all the session data get blank and no entry

old session id - ajphtktier8essc3sjdrj26fei

session class write function query

REPLACE INTO sessions(id,access,data) VALUES('ajphtktier8essc3sjdrj26fei','1116980724','CSRFP-Token|a:bs:{i:0;s:10:\"6251880c66\";i:1;s:10:\"c6ec0a462b\";}userid|i:7;auserid|s:1:\"0\";')

after session_regenerate_id()

new sessionid - pinbo270grhbaaaijbntqhl790sgn

session class write function query

REPLACE INTO sessions(id,access,data) VALUES('','','')

all the values goes blank and my user unable to login.

Session file is handling session_start(); this file is included in the script

my code after verify login credentials

    session_regenerate_id();  
    $_SESSION['userid'] = $row2['id'];
    $_SESSION['auserid'] = "0";
    header('Location: index.php');
    exit();

CodePudding user response：

You forgot:

<?php
session_start();

This must be on the first line of your script

CodePudding user response：

Official PHP Manual warning for session_regenerate_id:

Warning

Currently, session_regenerate_id does not handle an unstable network well, e.g. Mobile and WiFi network. Therefore, you may experience a lost session by calling session_regenerate_id.

You should not destroy old session data immediately, but should use destroy time-stamp and control access to old session ID. Otherwise, concurrent access to page may result in inconsistent state, or you may have lost session, or it may cause client(browser) side race condition and may create many session ID needlessly. Immediate session data deletion disables session hijack attack detection and prevention also.