session_regenerate_id not quite on login
Posted: Sat Aug 14, 2010 8:12 am
I want to run session_regenerate_id() on login to prevent fixation attacks. My problem is that by the time I handle the login form, some output has already been outputted to the user, so session_regenerate_id() doesn't quite work because it's too late to set the user's cookies.
What I was thinking about doing is setting a session variable, say regenerate_session_id, and checking it on the next page load. This would result in the session id not being regenerated on login, but rather the next page.
I don't think this would present any issues, specifically security wise, but was wondering if anyone sees any potential problems.
Thanks,
Shawn
What I was thinking about doing is setting a session variable, say regenerate_session_id, and checking it on the next page load. This would result in the session id not being regenerated on login, but rather the next page.
I don't think this would present any issues, specifically security wise, but was wondering if anyone sees any potential problems.
Thanks,
Shawn