Session: do not regenerate session ID when is newly created

Author: dg

src/Http/Session.php

@@ -75,7 +75,7 @@ public function start()
 
 		$this->configure($this->options);
 
-		if (!session_id()) {
+		if (!session_id()) { // session is started for first time
 			$id = $this->request->getCookie(session_name());
 			if (is_string($id) && preg_match('#^[0-9a-zA-Z,-]{22,256}\z#i', $id)) {
 				session_id($id);
@@ -113,7 +113,9 @@ public function start()
 		// regenerate empty session
 		if (empty($nf['Time'])) {
 			$nf['Time'] = time();
-			$this->regenerated = true;
+			if (!empty($id)) { // ensures that the session was created in strict mode (see use_strict_mode)
+				$this->regenerateId();
+			}
 		}
 
 		// process meta metadata
@@ -135,11 +137,6 @@ public function start()
 			}
 		}
 
-		if ($this->regenerated) {
-			$this->regenerated = false;
-			$this->regenerateId();
-		}
-
 		register_shutdown_function([$this, 'clean']);
 	}
 

tests/Http/Session.regenerateId().phpt

@@ -23,7 +23,7 @@ $ref = 10;
 
 $session->regenerateId();
 $newId = $session->getId();
-Assert::same($newId, $oldId); // new session is regenerated by $session->start()
+Assert::notSame($newId, $oldId);
 Assert::true(is_file($path . $newId));
 
 $ref = 20;