Session Security

[ajoo]

Hi all ! 

 

I came across sec_session_start() function to start a secure session and I have used it. However I have come across so many comments on the usage of this function recently many of which suggest that this is quite useless, an overkill etc. etc. and that using Https is the best option and there too there are opinions that it has its own overheads and so on. 

 

So I would like to ask what purpose does this function serve? How good is it really? Should we use it or not?

 

The most controversial part of this function seems to be the session_regenarate_id() which seems to create unwanted logouts and lost sessions.

 

While this is apparently supposed to be used to prevent session hijacking or session fixation, I have again come across comments which say it is not advisable to use this function. Like it's of no use to deploy this function and should be avoided.

 

Here is the function as I use it.

 

function sec_session_start()

{

        $session_name = 'sec_session_id';

        $secure = false; // Set to true if using https.

        $httponly = true; 

        ini_set('session.use_only_cookies', 1); 

        $cookieParams = session_get_cookie_params(); 

        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);  

        session_name($session_name); 

        session_start(); // Start the php session

        session_regenerate_id(); // regenerated the session

}

 

And I use it on all the pages at the very top. It seems to work fine. I would be very happy to know the truth about this function and its usage. 

 

Thanks loads. 

 

 

[ajoo]

Hi,

 

Looking up to some of the gurus to reply to this oft asked yet very controversial question once again.

 

Thanks !