I read about session vulnerability in the php manual and came across this issue: I need my server/code to generate the session-id AFTER successfully authenticating the user.
Now, I am not sure when php sets the session Id. My php application is MVC-like, and everything goes through index.php, and at the top of index.php I have session.start() since every single page (after login) uses sessions.
Is this a vulnerability risk? Or, should I put it like this: Does this mean that upon first arrival to my site, even before login, does the server set a session id for that user? Does session.start() set a user ID, or is a session-id not generated until I set my first session variable, ie. until I do $_SESSION['foo']='bar'?
If a session is actually generated already upon session.start(), I guess a good idea would be to regenerate the session-id after authenticating, does that in that case solve the issue?
The session ID is generated when you run session_start()
.
Best practice is to refresh the session ID upon login using session_regenerate_id()
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With