How to: Regenerate Session IDs with Custom Session Handlers
Posted: Sun Apr 03, 2005 2:21 pm
This is a solution I found recently to a problem I had trying to regenerate session IDs while using a custom session handler (namely MySQL).
I searched the net/forums to no avail, so I was forced to implement my own solution (which was quite simple, actually), and since I failed to find any suitable resources on this matter, I thought I would share my solution here.
Situation:
Regenerating the Session ID when using a Custom Session Handler fails to maintain Session State. (The new session ID is not updated by the Custom Session Handler). Using both of these proposed security measures together seems fallible.
Solution:
Update the Database manually to contain the new Session ID while maintaining state! Simply create your own SessionRegenerateID() function, and call it anywhere you would normally call the built-in PHP equivalent (session_regenerate_id())
So basically, you would have (at a minimum):
The main part worth note is:
This solution is working great on my website, and I am surprised at the lack of information regarding this problem, considering it has such an easy solution!
Maybe tho, just maybe, this is a problem with the version of PHP which my host provides (4.3.10), and has since been addressed in later releases of PHP? (I know 4.3.10 has other security related holes, but it is up to my host to update, unfortunately)..
Anyway, I hope that this may help some people out!!
If you notice any problems (or know of any other resources) about this, please do not hesitate to post!!
I searched the net/forums to no avail, so I was forced to implement my own solution (which was quite simple, actually), and since I failed to find any suitable resources on this matter, I thought I would share my solution here.
Situation:
- My website is on a Shared Host, so I implemented Custom Session Handling (via session_set_save_handler) using a MySQL database as a security measure.
- To prevent from Session Fixation attacks I have been regenerating the Session ID (via session_regenerate_id) anytime a change in a users privelage occurs (like Logging in/out).
Regenerating the Session ID when using a Custom Session Handler fails to maintain Session State. (The new session ID is not updated by the Custom Session Handler). Using both of these proposed security measures together seems fallible.
Solution:
Update the Database manually to contain the new Session ID while maintaining state! Simply create your own SessionRegenerateID() function, and call it anywhere you would normally call the built-in PHP equivalent (session_regenerate_id())
So basically, you would have (at a minimum):
Code: Select all
// Assuming DB connection is already established;
function SessionRegenerateID()
{
$szOldSessionID = session_id();
session_regenerate_id();
$szNewSessionID = session_id();
$szQuery = 'Update SessionTable Set SessionID=\''.$szNewSessionID.'\' Where SessionID=\''.$szOldSessionID.'\'';
// Ignore the DB abstraction
$g_oDB->SubmitQuery( $szQuery );
return;
}- Get Old (current) Session ID
- Regenerate Session ID
- Get New Session ID
- Update Database to reflect New Session ID
This solution is working great on my website, and I am surprised at the lack of information regarding this problem, considering it has such an easy solution!
Maybe tho, just maybe, this is a problem with the version of PHP which my host provides (4.3.10), and has since been addressed in later releases of PHP? (I know 4.3.10 has other security related holes, but it is up to my host to update, unfortunately)..
Anyway, I hope that this may help some people out!!
If you notice any problems (or know of any other resources) about this, please do not hesitate to post!!