Sessions: session_id, regenerate_id, start order?
Posted: Tue Jan 05, 2010 6:51 am
If I understood correctly, it is recommended to change the session ID with every page update, to make session hijacking more difficult.
To do so, I can call session_regenerate_id after session_start.
But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.
Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before?
Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?
To do so, I can call session_regenerate_id after session_start.
But when I want to change the session ID myself, with the session_id function, it only works *before* session_start.
Question 1: Why is this? I would guess the session_regenerate_id function to be a combination of session_id and optionally deleting the previous session. Why does session_regenerate_id only work after session_start, and session_id only before?
Question 2: If the current user session ID is X, and a previous, now redundant, other session ID is Y. How can I destroy session Y, while maintaining session X for the current visitor?