Sessions: session_id, regenerate_id, start order?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
GimbaL
Forum Newbie
Posts: 18
Joined: Thu Apr 16, 2009 3:28 am

Sessions: session_id, regenerate_id, start order?

Post by GimbaL »

If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.

But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.

Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before? :?:

Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?
peterg012
Forum Newbie
Posts: 4
Joined: Thu Sep 06, 2007 12:52 am

Re: Sessions: session_id, regenerate_id, start order?

Post by peterg012 »

Hi,

I am not sure if you are aware that using session_regenerate_id() will replace the current session id with a new one, and keep the current session information. You could use this to destroy a session:

Code: Select all

session_destroy();
You can only use session_regenerate_id() after session_start because it needs an EXISTING session to regenerate an id for?
If you use session_id("my name") with an id value, it needs to called before a session is created or resumed so that it knows which session id to set.

Hope this helps in someway..
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Sessions: session_id, regenerate_id, start order?

Post by flying_circus »

GimbaL wrote:If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.
I only change the session id when the users permissions change, such as logging into my site or traversing from http to https and vice versa. Alternatively, you could regen the session id after a set interval, say, 15 minutes. Regenerating on every page request is overkill, in my opinion.
GimbaL wrote: But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.

Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before? :?:
You really dont have much of a reason to set your own session id. Let PHP do it for you. Php does a good job at it.

Setting a custom session id after a session is started cannot be done, it's already started. Once a session is started, you must tear it down, change the id, then restart it.

session_regenerate_id() will do the above for you, in 1 step. session_regenerate_id() also has an optional paramater, if set to true, will regenerate a new session and destroy the old one. example: session_regenerate_id(1);
GimbaL wrote: Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?
See above.


play with this code, and it should become more clear

Code: Select all

<?php
  session_start();
  print "Session Id: " . session_id() . "<br />";
  session_regenerate_id(1);
  print "Session Id: " . session_id() . "<br />";
?>
Post Reply