function SessionManager::regenerate

Same name in other branches
  1. 9 core/lib/Drupal/Core/Session/SessionManager.php \Drupal\Core\Session\SessionManager::regenerate()
  2. 8.9.x core/lib/Drupal/Core/Session/SessionManager.php \Drupal\Core\Session\SessionManager::regenerate()
  3. 10 core/lib/Drupal/Core/Session/SessionManager.php \Drupal\Core\Session\SessionManager::regenerate()

File

core/lib/Drupal/Core/Session/SessionManager.php, line 171

Class

SessionManager
Manages user sessions.

Namespace

Drupal\Core\Session

Code

public function regenerate($destroy = FALSE, $lifetime = NULL) : bool {
    // Nothing to do if we are not allowed to change the session.
    if ($this->isCli()) {
        return FALSE;
    }
    // Drupal will always destroy the existing session when regenerating a
    // session. This is inline with the recommendations of @link https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
    // OWASP session management cheat sheet. @endlink
    $destroy = TRUE;
    // Cannot regenerate the session ID for non-active sessions.
    if (\PHP_SESSION_ACTIVE !== session_status()) {
        // Ensure the metadata bag has been stamped. If the parent::regenerate()
        // is called prior to the session being started it will not refresh the
        // metadata as expected.
        $this->getMetadataBag()
            ->stampNew($lifetime);
        return FALSE;
    }
    return parent::regenerate($destroy, $lifetime);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.