When and why I should use session_regenerate_id()?

by

What is session_regenerate_id()?

As the function name says, it is a function that will replace the current session ID with a new one, and keep the current session information.

What does it do?

It mainly helps prevent session fixation attacks. Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID (SID) of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

To prevent such attacks, assign the user a new session ID using session_regenerate_id() when he successfully signs in (or for every X requests). Now only he has the session ID, and your old (fixated) session ID is no longer valid.

When should I use session_regenerate_id()?

As symbecean points out in the comments below, the session id must be changed at any transition in authentication state and only at authentication transitions.

Further reading:

More Related Contents:

  1. how can I print multiple services in this way
  2. Undefined index $_POST
  3. PHP Pass variable to next page
  4. How to change the session timeout in PHP?
  5. Where to put password_verify in login script?
  6. PHP session without cookies
  7. PHP Session timeout
  8. Why is PHP session_destroy() not working?
  9. How long will my session last?
  10. Laravel – Session store not set on request
  11. What do I need to store in the php session when user logged in?
  12. PHP session side-effect warning with global variables as a source of data
  13. PHP sessions default timeout [duplicate]
  14. What is the difference between Sessions and Cookies in PHP?
  15. Troubleshooting “Warning: session_start(): Cannot send session cache limiter – headers already sent”
  16. Storing objects in PHP session
  17. When do I have to declare session_start();?
  18. Codeigniter Sessions not working after migration
  19. PHP sessions in a load balancing cluster – how?
  20. How to access Magento user’s session from outside Magento?
  21. Destroy or unset session when user close the browser without clicking on logout [duplicate]
  22. Is it secure to store a password in a session? [duplicate]
  23. Undefined variable: $_SESSION
  24. Undefined index with PHP sessions
  25. Submit Multiple Forms With One Button
  26. Secure and Flexible Cross-Domain Sessions
  27. PHP How can I create multiple sessions?
  28. Alternative to session_is_registered()
  29. Can a user alter the value of $_SESSION in PHP?
  30. Proper session hijacking prevention in PHP

Leave a Comment