Search the Community

Hi all, I have been coding in php now for almost an year but yet i feel like a newbie when it comes to sessions !! That's an honest confession. Like many newcomers I too came across the sec_session_start() which is a common function that is easily found on the net for people looking for a secure login script. Here is the function: function sec_session_start() { $session_name = 'secure_session_main'; // Set a custom session name $secure = false; // Set to true if using https. $httponly = true; // This stops javascript being able to access the session id. ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. $cookieParams = session_get_cookie_params(); // Gets current cookies params. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); // Sets the session name to the one set above. session_start(); // Start the php session session_regenerate_id(TRUE); // regenerated the session, delete the old one. } I used it in my login page and on the other pages of my application. It seemed to work fine and then it started to create problems. I wrote about it on this forum. Every time I would click on a button or a link on my page, i would get logged out. I discussed that issue on this forum but no solution was found. Then I found that if I removed the (TRUE) from the session_regenerate_id(), things became fine. So I removed the TRUE and proceeded wanting to come back here at a later time like now. I was actually quite pleased that I had found a solution to my problem. But now while reading more on session_regenerate_id, I came across a number of articles that said that not using session_regenerate_ID with the argument TRUE is not effective in preventing session hijacking or was it session fixation. The articles pointed as also some of the answers to the questions in the forums that session_regenerate_id should be used only when 1. logging in, 2. logging out & 3. when privileges change. However I am using this sec_session_start on each and every page of my application instead of using session_start() and I want to use this function to use the session_regenerate_id(TRUE) since that it seems is more effective against the session attacks. The latest issue that I have encountered is the generation of an error message that says " session_regenerate_id(true) failed. I would like to ask if I my using the sec_session_start() on each and every page is incorrect & too oft used usage of the function. In that case what should I use on the beginning of each of those pages to start a session? I would like to know if there is any flaw in my thought process above? And anything else related that would shed some more light on using the session_regenrate_id(TRUE) in the above function. Basically the right way to initiate a new session securely . PS - my program seems to work correctly otherwise. Even when the error is generated "session_regenerate_id(true) failed", the variables in the application remain intact and save properly. If I remove the (TRUE) all problems seem to cease but then, like I mentioned above, the discussions I have read say that that usage is ineffective against session attacks. Thanks loads.