You are here

public function SessionManager::regenerate in Drupal 9

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Core/Session/SessionManager.php \Drupal\Core\Session\SessionManager::regenerate()

File

core/lib/Drupal/Core/Session/SessionManager.php, line 205

Class

SessionManager
Manages user sessions.

Namespace

Drupal\Core\Session

Code

public function regenerate($destroy = FALSE, $lifetime = NULL) {

  // Nothing to do if we are not allowed to change the session.
  if ($this
    ->isCli()) {
    return;
  }

  // Drupal will always destroy the existing session when regenerating a
  // session. This is inline with the recommendations of @link https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
  // OWASP session management cheat sheet. @endlink
  $destroy = TRUE;

  // Cannot regenerate the session ID for non-active sessions.
  if (\PHP_SESSION_ACTIVE !== session_status()) {

    // Ensure the metadata bag has been stamped. If the parent::regenerate()
    // is called prior to the session being started it will not refresh the
    // metadata as expected.
    $this
      ->getMetadataBag()
      ->stampNew($lifetime);
    return FALSE;
  }
  return parent::regenerate($destroy, $lifetime);
}