Posted: Thu Sep 22, 2005 8:01 am
And the sarcastic wit was necessary, because?Roja wrote:Sorry, I disagree. It is over the top, and can be harmful.Jenk wrote:It's not ott at all.
Regenerating the session ID on every page load can cause significant problems with back button behavior in web apps. Ilia posted about it, and its appeared on multiple mailing lists.Jenk wrote:Regenerating the session ID on each page is good practice.
The current best practice is to regen the id on authentication or priveledge change, as you can see at Chris Shifflet's blog:
http://shiflett.org/articles/security-corner-feb2004(Many other sites echo that suggestion).call session_regenerate_id() whenever a user successfully logs in, since this is the moment the session data becomes sensitive for most applications
To use your analogy, instead of changing the locks everytime you unlock the door, you suggest changing the locks everytime someone USES the door - lock or not. Since doing so can break back button behavior in many cases, its harmful AND it gains you little extra security.
Overall, I'd say that fits the description of over the top.
Courses for horses.. I've seen sites such as online casino's NEED the session id regenerated on every page, where going "back" is actually a bad thing anyway, and given they are dealing with financials, every possible opportunity must be taken to prevent any form of infiltration.