From 2f405da4f4ac2daa3a736866c1ade6f436437145 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 17 May 2023 11:00:54 +0900
Subject: [PATCH 1/2] fix: Session::stop() does not destory the session

---
 system/Session/Session.php | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/system/Session/Session.php b/system/Session/Session.php
index 497111b60030..175a275f3ef9 100644
--- a/system/Session/Session.php
+++ b/system/Session/Session.php
@@ -272,21 +272,13 @@ public function start()
     }
 
     /**
-     * Does a full stop of the session:
+     * Destroys the current session.
      *
-     * - destroys the session
-     * - unsets the session id
-     * - destroys the session cookie
+     * @deprecated Use destroy() instead.
      */
     public function stop()
     {
-        setcookie(
-            $this->sessionCookieName,
-            session_id(),
-            ['expires' => 1, 'path' => $this->cookie->getPath(), 'domain' => $this->cookie->getDomain(), 'secure' => $this->cookie->isSecure(), 'httponly' => true]
-        );
-
-        session_regenerate_id(true);
+        $this->destroy();
     }
 
     /**

From 4baf5ab2d1c0d63370d461a6574c6be499ba50bb Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 17 May 2023 11:02:40 +0900
Subject: [PATCH 2/2] docs: update docs

---
 user_guide_src/source/changelogs/v4.3.5.rst   |  9 ++++++++
 .../source/installation/upgrade_435.rst       | 12 ++++++++++
 user_guide_src/source/libraries/sessions.rst  | 22 +++++++++++++++----
 .../source/libraries/sessions/038.php         |  3 ---
 4 files changed, 39 insertions(+), 7 deletions(-)
 delete mode 100644 user_guide_src/source/libraries/sessions/038.php

diff --git a/user_guide_src/source/changelogs/v4.3.5.rst b/user_guide_src/source/changelogs/v4.3.5.rst
index 7ff5f2e4b5b9..76b348fd2cf7 100644
--- a/user_guide_src/source/changelogs/v4.3.5.rst
+++ b/user_guide_src/source/changelogs/v4.3.5.rst
@@ -9,6 +9,12 @@ Release Date: Unreleased
     :local:
     :depth: 3
 
+SECURITY
+********
+
+- Fixed that ``Session::stop()`` did not destroy the session.
+  See :ref:`Session Library <session-stop>` for details.
+
 BREAKING
 ********
 
@@ -21,6 +27,9 @@ Changes
 Deprecations
 ************
 
+- **Session:** The :ref:`Session::stop() <session-stop>` method is deprecated.
+  Use the :ref:`Session::destroy() <session-destroy>` instead.
+
 Bugs Fixed
 **********
 
diff --git a/user_guide_src/source/installation/upgrade_435.rst b/user_guide_src/source/installation/upgrade_435.rst
index e594f5994f78..142e7318cdcd 100644
--- a/user_guide_src/source/installation/upgrade_435.rst
+++ b/user_guide_src/source/installation/upgrade_435.rst
@@ -18,6 +18,18 @@ Mandatory File Changes
 Breaking Changes
 ****************
 
+Session::stop()
+===============
+
+Prior to v4.3.5, the ``Session::stop()`` method did not destroy the session due
+to a bug. This method has been modified to destroy the session, and now deprecated
+because it is exactly the same as the ``Session::destroy()`` method. So use the
+:ref:`Session::destroy <session-destroy>` method instead.
+
+If you have code to depend on the bug, replace it with ``session_regenerate_id(true)``.
+
+See also :ref:`Session Library <session-stop>`.
+
 Breaking Enhancements
 *********************
 
diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst
index 7f316c569276..6c6b75abe0a5 100644
--- a/user_guide_src/source/libraries/sessions.rst
+++ b/user_guide_src/source/libraries/sessions.rst
@@ -345,6 +345,11 @@ intend to reuse that same key in the same request, you'd want to use
 Destroying a Session
 ====================
 
+.. _session-destroy:
+
+destroy()
+---------
+
 To clear the current session (for example, during a logout), you may
 simply use either PHP's `session_destroy() <https://www.php.net/session_destroy>`_
 function, or the library's ``destroy()`` method. Both will work in exactly the
@@ -357,11 +362,20 @@ same way:
     tempdata) will be destroyed permanently and functions will be
     unusable during the same request after you destroy the session.
 
-You may also use the ``stop()`` method to completely kill the session
-by removing the old session ID, destroying all data, and destroying
-the cookie that contained the session ID:
+.. _session-stop:
+
+stop()
+------
+
+.. deprecated:: 4.3.5
+
+The session class also has the ``stop()`` method.
+
+.. warning:: Prior to v4.3.5, this method did not destroy the session due to a bug.
 
-.. literalinclude:: sessions/038.php
+Starting with v4.3.5, this method has been modified to destroy the session.
+However, it is deprecated because it is exactly the same as the ``destroy()``
+method. Use the ``destroy()`` method instead.
 
 Accessing Session Metadata
 ==========================
diff --git a/user_guide_src/source/libraries/sessions/038.php b/user_guide_src/source/libraries/sessions/038.php
deleted file mode 100644
index 7b43795e71e4..000000000000
--- a/user_guide_src/source/libraries/sessions/038.php
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-
-$session->stop();