Page 1 of 1

Sessions: session_id, regenerate_id, start order?

Posted: Tue Jan 05, 2010 6:51 am
by GimbaL
If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.

But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.

Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before? :?:

Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?

Re: Sessions: session_id, regenerate_id, start order?

Posted: Tue Jan 05, 2010 9:00 am
by peterg012
Hi,

I am not sure if you are aware that using session_regenerate_id() will replace the current session id with a new one, and keep the current session information. You could use this to destroy a session:

Code: Select all

session_destroy();
You can only use session_regenerate_id() after session_start because it needs an EXISTING session to regenerate an id for?
If you use session_id("my name") with an id value, it needs to called before a session is created or resumed so that it knows which session id to set.

Hope this helps in someway..

Re: Sessions: session_id, regenerate_id, start order?

Posted: Tue Jan 05, 2010 11:56 am
by flying_circus
GimbaL wrote:If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.
I only change the session id when the users permissions change, such as logging into my site or traversing from http to https and vice versa. Alternatively, you could regen the session id after a set interval, say, 15 minutes. Regenerating on every page request is overkill, in my opinion.
GimbaL wrote: But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.

Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before? :?:
You really dont have much of a reason to set your own session id. Let PHP do it for you. Php does a good job at it.

Setting a custom session id after a session is started cannot be done, it's already started. Once a session is started, you must tear it down, change the id, then restart it.

session_regenerate_id() will do the above for you, in 1 step. session_regenerate_id() also has an optional paramater, if set to true, will regenerate a new session and destroy the old one. example: session_regenerate_id(1);
GimbaL wrote: Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?
See above.


play with this code, and it should become more clear

Code: Select all

<?php
  session_start();
  print "Session Id: " . session_id() . "<br />";
  session_regenerate_id(1);
  print "Session Id: " . session_id() . "<br />";
?>