Page 1 of 1
When and why should I use session_regenerate_id?
Posted: Sun Nov 01, 2009 5:20 am
by fluvly
I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?
When should I use it in the script, just after a user has logged in?
And should I set the optional parameter to TRUE or FALSE?
Thanks for any help!
Re: When and why should I use session_regenerate_id?
Posted: Sun Nov 01, 2009 12:17 pm
by Gadgetmo
You should set the optional parameter to FALSE, and I can imagine it can be more secure. Do it when the user logs in, and maybe also do it every 20 minutes or so. Still, I'm not 100% sure.
Re: When and why should I use session_regenerate_id?
Posted: Mon Nov 02, 2009 10:54 am
by pickle
I don't know about optional parameters, but yes - you can use it after the user logs in.
PHP generates a session id for every connection, whether the session has been "started" or not. It then re-uses that session id once a session has been manually created by your code. So, if access to your login page is plaintext (even if the login form submits securely), a person-in-the-middle may be able to retrieve the session id automatically generated by PHP. Once the user logs in, the person-in-the-middle can assign themselves that same session id, access your server, and be given all the users session parameters.
If you regenerate the session id after a secure connection is established, there's no way for the person-in-the-middle to know the new session id, without having access to the user's computer.