Page 1 of 1

When and why should I use session_regenerate_id?

Posted: Sun Nov 01, 2009 5:20 am
by fluvly
I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?

When should I use it in the script, just after a user has logged in?

And should I set the optional parameter to TRUE or FALSE?

Thanks for any help!

Re: When and why should I use session_regenerate_id?

Posted: Sun Nov 01, 2009 12:17 pm
by Gadgetmo
You should set the optional parameter to FALSE, and I can imagine it can be more secure. Do it when the user logs in, and maybe also do it every 20 minutes or so. Still, I'm not 100% sure.

Re: When and why should I use session_regenerate_id?

Posted: Mon Nov 02, 2009 10:54 am
by pickle
I don't know about optional parameters, but yes - you can use it after the user logs in.

PHP generates a session id for every connection, whether the session has been "started" or not. It then re-uses that session id once a session has been manually created by your code. So, if access to your login page is plaintext (even if the login form submits securely), a person-in-the-middle may be able to retrieve the session id automatically generated by PHP. Once the user logs in, the person-in-the-middle can assign themselves that same session id, access your server, and be given all the users session parameters.

If you regenerate the session id after a secure connection is established, there's no way for the person-in-the-middle to know the new session id, without having access to the user's computer.