Developer Fixes Mezzio Library Bug That Regenerated Session IDs on Every Write
A developer building a cross-language session-sharing system between a PHP/Mezzio app and a second backend discovered that every authenticated request was generating a new session ID. The root cause was traced to the Mezzio session-cache library's CacheSessionPersistence, which regenerated the session ID on every data write as a defense against session fixation attacks. While this aggressive rotation is harmless in single-application setups, it broke the shared Redis session contract in a distributed architecture, leaving the second backend holding a stale ID pointing to a deleted session. The developer submitted a pull request to the mezzio/mezzio-session-cache repository to address the issue, which had also been independently reported by other users experiencing session loss on failed responses.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in