Page 1 of 1
how to use session_regenerate_id effectively ??
Posted: Thu Sep 13, 2007 11:37 pm
by PHPycho
hello forums !!
I would like to know how to use session_regenerate_id() effectively..
i tried it as:
Code: Select all
session_start();
if(!empty($_SESSION)){
session_regenerate_id(true);
}
i dont whether it is correct or else .
Hope to have same comments on it.
Thanks in advance
Posted: Fri Sep 14, 2007 12:01 am
by s.dot
I think you should use isset() instead of !empty(), because the session IS empty if no variables have been set. And, if you did that, the session id would be regenerated on every scripts execution -- which is a bit of overkill.
Posted: Fri Sep 14, 2007 3:27 am
by superdezign
scottayy wrote:And, if you did that, the session id would be regenerated on every scripts execution -- which is a bit of overkill.
Why would it be overkill? The purpose of it is to lessen the chance of you having your session hijacked, done by changing it's id. Why wouldn't you want to do it per-request?
Posted: Fri Sep 14, 2007 4:29 pm
by The Phoenix
superdezign wrote:
Why would it be overkill? The purpose of it is to lessen the chance of you having your session hijacked, done by changing it's id. Why wouldn't you want to do it per-request?
Because you don't lock your car doors every time you open them - usually just when you leave the car.
Session regeneration is generally recommended for priveledge change or escalation. So if I'm about to become an admin, I should probably have my session regenerated. If I'm going to change my password? Thats another good spot.
Putting it in every session call can be bad. What are some of the negatives?:
- Increased load (seen more if you use database-driven sessions)
- Reduced number of valid/invalid sessions (matters more on large sites)
- Increased frequency of session problems (theory)
This is one area that I haven't done much security research into, so I hope someone more knowledgable will offer input (or even corrections to my reply!).
But based on what I've read, thats my understanding of the situation.
Posted: Fri Sep 14, 2007 4:51 pm
by s.dot
Random session id changes, changing on admin/escalated actions, logging in, changing passwords, etc.. is the widely accepted usage of session_regenerate_id() (from what I've read, at least).
I can imagine the server load in session_regenerate_id() being called on every script by every user. On a large site, session ids being changed to the tune of hundreds per second.. I don't see that being very pretty.
Posted: Mon Sep 17, 2007 1:07 am
by PHPycho
so how to make the usag pretty
Posted: Mon Sep 17, 2007 6:41 am
by superdezign
PHPycho wrote:so how to make the usag pretty
... Did you read the thread?
I've just begun using it and I call it after successful logins, and am considering calling it per 20 requests or so.