Handling session_regenerate_id() in ajax requests

Question

I want to secure a little bit my application, especially I want to improve the way how sessions are handled. So, at this moment I know several facts:

1. session_regenerate_id(false) does not destroy old session
2. session_regenerate_id(true) destroys old session. With ordinary page reloads there is nothing wrong with using session_regenerate_id(true).

However when making dozens concurrent AJAX requests there may be a problem which results in an error message object destruction failed.

So, there is nothing left to do, then to use session_regenerate_id(false) in AJAX request.

But what is needed, is to somehow mark previous outdated sessions, which become outdated as a result of invoking session_regenerate_id(false), as "zombie" sessions that will somehow be destroyed and not litter the sessions folder.

I need some practical advice on how to implement this.

Answer 1

All session cleanup, including those with regenerated IDs, is handled by PHP's session garbage collector. There is nothing special needed when calling session_regenerate_id(false) to remove old sessions from storage.

PHP's settings for session.gc_probability, session.gc_divisor, and session.gc_maxlifetime apply.

You can also run your own session storage cleanup based on last access time.