Trouble with session_regenerate_id(true)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
TCmullet
Forum Newbie
Posts: 2
Joined: Thu Apr 11, 2013 9:01 pm

Trouble with session_regenerate_id(true)

Post by TCmullet »

I'm new to PHP. Have gotten a simple login system working. Each page has

Code: Select all

<?php include "base.php";?>
at the top. base.php contains:

Code: Select all

<?php
session_start();
?>
I do call several other php files during the course of things. It works fine, but I found here:
http://forums.devshed.com/php-developme ... 50530.html
that in order to prevent session hijacking, I should add a line to make my base.php file look like this:

Code: Select all

<?php
session_start();
session_regenerate_id(true);
?>
Everything works fine except now I get a warning every time I execute any of my pages (all of them including this code at the top). The warning is this:
[text][11-Apr-2013 22:19:34 America/New_York] PHP Warning: session_regenerate_id(): Cannot regenerate session id - headers already sent in /home/tomsgood/public_html/base.php on line 3
[/text]
The searching I did on the web doesn't seem to help me find out why this warning is happening or how to stop it.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Trouble with session_regenerate_id(true)

Post by social_experiment »

TCmullet wrote:at the top
with nothing before (above) that, no doctype declaration or html tags (such as meta tags) or any other data?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
TCmullet
Forum Newbie
Posts: 2
Joined: Thu Apr 11, 2013 9:01 pm

Re: Trouble with session_regenerate_id(true)

Post by TCmullet »

Yes, the "include base.php" line has to come before everything. (At least that's what I learned a couple years ago when I first got it working in it's present state.)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Trouble with session_regenerate_id(true)

Post by social_experiment »

TCmullet wrote:the "include base.php" line has to come before everything.
correct, it still works this way;

i think you should only regenerate the id during one of the 3 times mentioned, not on each page.
When a user log in
When a user log out
When a user get administrative access
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply