GimbaL wrote:If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.
I only change the session id when the users permissions change, such as logging into my site or traversing from http to https and vice versa. Alternatively, you could regen the session id after a set interval, say, 15 minutes. Regenerating on every page request is overkill, in my opinion.
GimbaL wrote:
But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.
Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before?
You really dont have much of a reason to set your own session id. Let PHP do it for you. Php does a good job at it.
Setting a custom session id after a session is started cannot be done, it's already started. Once a session is started, you must tear it down, change the id, then restart it.
session_regenerate_id() will do the above for you, in 1 step. session_regenerate_id() also has an optional paramater, if set to true, will regenerate a new session and destroy the old one. example: session_regenerate_id(1);
GimbaL wrote:
Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?
See above.
play with this code, and it should become more clear
Code: Select all
<?php
session_start();
print "Session Id: " . session_id() . "<br />";
session_regenerate_id(1);
print "Session Id: " . session_id() . "<br />";
?>