When and why should I use session_regenerate_id?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
fluvly
Forum Newbie
Posts: 10
Joined: Wed Sep 23, 2009 10:08 am

When and why should I use session_regenerate_id?

Post by fluvly »

I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?

When should I use it in the script, just after a user has logged in?

And should I set the optional parameter to TRUE or FALSE?

Thanks for any help!
Gadgetmo
Forum Newbie
Posts: 14
Joined: Sun Nov 01, 2009 7:17 am

Re: When and why should I use session_regenerate_id?

Post by Gadgetmo »

You should set the optional parameter to FALSE, and I can imagine it can be more secure. Do it when the user logs in, and maybe also do it every 20 minutes or so. Still, I'm not 100% sure.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: When and why should I use session_regenerate_id?

Post by pickle »

I don't know about optional parameters, but yes - you can use it after the user logs in.

PHP generates a session id for every connection, whether the session has been "started" or not. It then re-uses that session id once a session has been manually created by your code. So, if access to your login page is plaintext (even if the login form submits securely), a person-in-the-middle may be able to retrieve the session id automatically generated by PHP. Once the user logs in, the person-in-the-middle can assign themselves that same session id, access your server, and be given all the users session parameters.

If you regenerate the session id after a secure connection is established, there's no way for the person-in-the-middle to know the new session id, without having access to the user's computer.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply