session_regenerate_id() old data not copied to new session ID

In PHP I’m using MySQL with Memcached backend for storing session information. Every few minutes I need to regenerate the session ID to prevent replay attack. However when using session_regenerate_id(true), sometimes session data from old ID are not copied to the new regenerated ID. Therefore everytime when the session regenerated, I’ll be logged out if I’m currently logged in to the web app.

To fix it, I need to regenerate the ID without deleting the old data, flush the session data into database, stop then restart the session with new ID

$new_sess_id = session_id();

// this enable the backend to write the session data to backend storage
$this->data_changed = true; 

// this will call the write() function to save session data to backend


Cloudflare & phpBB3

Session handling in phpBB3 requires a user to use one IP address per session, therefore if your IP address changed, you will be prompt to login again.

Cloudflare is a web caching service that cache static contents of a website by acting as the nameserver that manage the website domain name. Therefore, every request to the domain name will pass through Cloudflare system first and any cached contents will be served from Cloudflare servers instead of the web hosting server.

However, when using Cloudflare service, the REMOTE_ADDR value for PHP $_SERVER will follow Cloudflare servers IP address. Therefore, you might face problem when using phpBB (or any other web app that rely on session tied to the IP address) with this service.

So, we need to edit phpBB session.php file to grab the correct variable for the users’ real IP address. Edit includes/session.php


$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : '';

Replace with:

$this->ip = (!empty($_SERVER['HTTP_CF_CONNECTING_IP']))
          ? (string) $_SERVER['HTTP_CF_CONNECTING_IP']
          : ((!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : '');

HTTP_CF_CONNECTING_IP is special header value passed by Cloudflare servers containing visitors’ real IP address, and in case this variable not set, we use the good ol REMOTE_ADDR