regenerating session id

Question

I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request

if(!empty($_session)){ 
   session_start(); 
}

Another way to achieve so would be to do this:

if(!empty($_session)){ 
  session_regenerate_id(true);
}

However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.

Another way to use the session id is to have more control over how a session is generated.

There are other ways to achieve so.. Whats the best practice?

Answer 1

Calling session_regenerate_id on every page is an unnescessary overhead.

You should only be calling it at the point of login or any time you re-authorize a user.

If you want additionally you could store the last regenerated time in a session and then call session_regenerate_id after say 30 minutes, but there's definetly no need for this to be done on every page.

Answer 2

I had problems indeed (on page refresh or inside ajax requests), using session_regenerate_id(true); on each request.

But not with session_regenerate_id();

So, according to

Renew the Session ID After Any Privilege Level Change https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change

Regenerate SID on each request http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request

i use

• session_regenerate_id(); on each request
• session_regenerate_id(true); on login, logout etc (any privilege level change)

Answer 3

Best practise is to use SSL (and apply the usual defences against other security attack vectors such as XSS and SQL injection). Cycling session ids is just begging for race conditions.

Answer 4

Instead of generating session IDs,why don't you encrypt and use the already generated one.It can be used and destroyed when the intended action is complete.