cakephp: DatabaseSession triggers warning when session is restarted

This is a (multiple allowed):

• bug
• enhancement
• feature-discussion (RFC)
• CakePHP Version: 3.2.12
• Platform and Target: Apache 2.4, MySQL, PHP 7

What you did

I get a 100% reproducible warning when restarting sessions that use the database for storage.

Warning (2): session_regenerate_id() [function.session-regenerate-id]: Session object destruction failed.  ID: user (path: ) [CORE\src\Network\Session.php, line 578]

Steps to reproduce

1. Configure database sessions.
2. Start a user session in the browser.
3. Wait for the session to timeout.
4. Make a web request to CakePHP
5. Session is restarted and triggers warning.

Here is my app.php configuration.

    'Session' => [
        'cookie' => 'ahtag',
        'defaults' => 'database',
        'timeout' => 30,
        'handler' => [
            'model' => 'UserSessions'
        ]
    ],

The problem here is that the session ID is used to restore the previous session, but that ID has been deleted from the database.

That happens in Session.php, line 330 here:

        if ($this->_timedOut()) {
            $this->destroy();
            return $this->start();
        }

The destroy calls the database storage which does a table delete query on that ID. Later the Session::renew() is called and session_id() returns that same ID but PHP can not continue the session since the storage is now gone.

Note: It has taken me a while to gather the reasons behind this bug, because it requires a user’s session to expire first and that makes it difficult to debug and trace.

Expected Behavior

Should continue the session with out a warning, or it should just start a new session successfully.

Actual Behavior

It’s a mix between code in CakePHP and the PHP session APIs. The Session.php is clearly deleting the previous session and then trying to start another one, but the code also tries to continue the previous one.

I don’t know what the current solution is?

1. Should Session::renew be calling session_regenerate_id?
2. Should Session::start() be destroying the old session?
3. Should the DatabaseSession be deleting session records (i.e. should session records be allowed to stay around for X number of days)