Menu
I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request
if(!empty($_session)){
session_start();
}
Another way to achieve so would be to do this:
if(!empty($_session)){
session_regenerate_id(true);
}
However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.
Another way to use the session id is to have more control over how a session is generated.
There are other ways to achieve so.. Whats the best practice?
270
Definition and Usage. Sessions or session handling is a way to make the data available across various pages of a web application. The session_regenerate_id() function generates a new session id and updates the current one with the newly created one.
Every time an Internet user visits a specific Web site, a new session ID is assigned. Closing a browser and then reopening and visiting the site again generates a new session ID.
The session id is a random value generated when a session is started. The session id is stored as a cookie in the browser such that on subsequent visits the data stored in the session can be loaded and reused. This issue is about the session id (cookie value) and not about the session name (cookie name).
Calling session_regenerate_id on every page is an unnescessary overhead.
You should only be calling it at the point of login or any time you re-authorize a user.
If you want additionally you could store the last regenerated time in a session and then call session_regenerate_id after say 30 minutes, but there's definetly no need for this to be done on every page.
121
I had problems indeed (on page refresh or inside ajax requests), using session_regenerate_id(true); on each request.
But not with session_regenerate_id();
So, according to
Renew the Session ID After Any Privilege Level Change https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
Regenerate SID on each request http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request
i use
session_regenerate_id(); on each requestsession_regenerate_id(true); on login, logout etc (any privilege level change)
29
Best practise is to use SSL (and apply the usual defences against other security attack vectors such as XSS and SQL injection). Cycling session ids is just begging for race conditions.
36
Instead of generating session IDs,why don't you encrypt and use the already generated one.It can be used and destroyed when the intended action is complete.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
