I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?
When should I use it in the script, just after a user has logged in?
And should I set the optional parameter to TRUE or FALSE?
Thanks for any help!
When and why should I use session_regenerate_id?
Moderator: General Moderators
Re: When and why should I use session_regenerate_id?
You should set the optional parameter to FALSE, and I can imagine it can be more secure. Do it when the user logs in, and maybe also do it every 20 minutes or so. Still, I'm not 100% sure.
Re: When and why should I use session_regenerate_id?
I don't know about optional parameters, but yes - you can use it after the user logs in.
PHP generates a session id for every connection, whether the session has been "started" or not. It then re-uses that session id once a session has been manually created by your code. So, if access to your login page is plaintext (even if the login form submits securely), a person-in-the-middle may be able to retrieve the session id automatically generated by PHP. Once the user logs in, the person-in-the-middle can assign themselves that same session id, access your server, and be given all the users session parameters.
If you regenerate the session id after a secure connection is established, there's no way for the person-in-the-middle to know the new session id, without having access to the user's computer.
PHP generates a session id for every connection, whether the session has been "started" or not. It then re-uses that session id once a session has been manually created by your code. So, if access to your login page is plaintext (even if the login form submits securely), a person-in-the-middle may be able to retrieve the session id automatically generated by PHP. Once the user logs in, the person-in-the-middle can assign themselves that same session id, access your server, and be given all the users session parameters.
If you regenerate the session id after a secure connection is established, there's no way for the person-in-the-middle to know the new session id, without having access to the user's computer.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.