Dev Tools · 1h ago
Mezzio Session Library Rotates IDs on Every Write, Breaking Polyglot Setups
A developer discovered that Mezzio's session library regenerates the session ID on every data change, not just on login. This defense-in-depth against session fixation caused a stale reference problem in a multi-backend system sharing sessions via Redis. The behavior, while secure for single apps, breaks distributed architectures that rely on a stable session ID.
Meridian48 take
The story highlights a classic security-vs-interoperability tradeoff: Mezzio's aggressive session rotation is technically correct but poorly documented, leaving polyglot teams to discover the hard way that their session contract is a moving target.
session-fixationmezzio