Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When and why I should use session_regenerate_id()?

Tags:

php

session

session-fixation

Why and when should I use the session_regenerate_id() function in php? Should I always use it after I use the session_start()? I've read that I have to use it to prevent session fixation, is this the only reason?

like image 646
rvandoni Avatar asked Apr 09 '14 14:04

rvandoni

People also ask

What is session_regenerate_id ()?

session_regenerate_id() will replace the current session id with a new one, and keep the current session information. When session. use_trans_sid is enabled, output must be started after session_regenerate_id() call. Otherwise, old session ID is used.

Why is session hijacking successful?

Once the attacker hijacks a session, they no longer have to worry about authenticating to the server as long as the communication session remains active. The attacker enjoys the same server access as the compromised user because the user has already authenticated to the server prior to the attack.

How can I get current session id in PHP?

session_id() is used to get or set the session id for the current session. The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs.

What is session fixation and session hijacking difference?

In the session hijacking attack, the attacker attempts to steal the ID of a victim's session after the user logs in. In the session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes.

1 Answers

What is session_regenerate_id()?

As the function name says, it is a function that will replace the current session ID with a new one, and keep the current session information.

What does it do?

It mainly helps prevent session fixation attacks. Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID (SID) of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

To prevent such attacks, assign the user a new session ID using session_regenerate_id() when he successfully signs in (or for every X requests). Now only he has the session ID, and your old (fixated) session ID is no longer valid.

When should I use session_regenerate_id()?

As symbecean points out in the comments below, the session id must be changed at any transition in authentication state and only at authentication transitions.

Further reading:

  • http://php.net/session_regenerate_id
  • https://www.owasp.org/index.php/Session_fixation
  • http://en.wikipedia.org/wiki/Session_fixation
  • https://wiki.php.net/rfc/precise_session_management
like image 110
Amal Murali Avatar answered Sep 20 '22 20:09

Amal Murali
Sign in to Comment

Related questions

How to specify Composer install path?
Which MySQL datatype to use for an IP address? [duplicate]
Deprecated: mysql_connect() [duplicate]
Laravel, sync() - how to sync an array and also pass additional pivot fields?
Convert an associative array to a simple array of its values in php
Laravel Eloquent update just if changes have been made
Elegant way to search for UTF-8 files with BOM?
PHP: Can I get the index in an array_map function?
best practice to generate random token for forgot password
Fatal error: Maximum execution time of 300 seconds exceeded
Manipulate a url string by adding GET parameters
How to find day of week in php in a specific timezone
Subtract 1 day with PHP
PHP memory profiling
Cleansing User Passwords
multiple ways of calling parent method in php
When does a cookie with expiration time 'At end of session' expire?
Apache is downloading php files instead of displaying them
php - How do I fix this illegal offset type error
PHP: Move associative array element to beginning of array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!