how to use session_regenerate_id effectively ??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

how to use session_regenerate_id effectively ??

Post by PHPycho »

hello forums !!
I would like to know how to use session_regenerate_id() effectively..
i tried it as:

Code: Select all

session_start();
if(!empty($_SESSION)){
	session_regenerate_id(true);
}
i dont whether it is correct or else .
Hope to have same comments on it.
Thanks in advance
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I think you should use isset() instead of !empty(), because the session IS empty if no variables have been set. And, if you did that, the session id would be regenerated on every scripts execution -- which is a bit of overkill.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

scottayy wrote:And, if you did that, the session id would be regenerated on every scripts execution -- which is a bit of overkill.
Why would it be overkill? The purpose of it is to lessen the chance of you having your session hijacked, done by changing it's id. Why wouldn't you want to do it per-request?
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Post by The Phoenix »

superdezign wrote: Why would it be overkill? The purpose of it is to lessen the chance of you having your session hijacked, done by changing it's id. Why wouldn't you want to do it per-request?
Because you don't lock your car doors every time you open them - usually just when you leave the car.

Session regeneration is generally recommended for priveledge change or escalation. So if I'm about to become an admin, I should probably have my session regenerated. If I'm going to change my password? Thats another good spot.

Putting it in every session call can be bad. What are some of the negatives?:

- Increased load (seen more if you use database-driven sessions)
- Reduced number of valid/invalid sessions (matters more on large sites)
- Increased frequency of session problems (theory)

This is one area that I haven't done much security research into, so I hope someone more knowledgable will offer input (or even corrections to my reply!).

But based on what I've read, thats my understanding of the situation.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Random session id changes, changing on admin/escalated actions, logging in, changing passwords, etc.. is the widely accepted usage of session_regenerate_id() (from what I've read, at least).

I can imagine the server load in session_regenerate_id() being called on every script by every user. On a large site, session ids being changed to the tune of hundreds per second.. I don't see that being very pretty.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

Post by PHPycho »

so how to make the usag pretty
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

PHPycho wrote:so how to make the usag pretty
... Did you read the thread? :P

I've just begun using it and I call it after successful logins, and am considering calling it per 20 requests or so.
Post Reply