session_regenerate_id(TRUE) vs. session_regenerate_id(FALSE)

[sKunKbad]

I'm working on an authentication script again, and learning more about the way php handles sessions. In the manual, fellow developers complain that setting session_regenerate_id to destroy the previous session can bring about problems if a site user is going from page to page too fast. The session data would be lost, which isn't good at all. They recommend leaving the old session data there, unless a critical need to destroy it exists. My thoughts were, if your going to regenerate the session id, why would you want to leave the old session data? If the old session data can still be used, what's the point of regenerating it at all? A malicious user could use the old session data if captured in some way, and the regenerated id would do nothing to protect the site/data/real user. I want to set my session_regenerate_id to true, but wondering if the issue of the session being lost is too common to do it.

 

I'm not really using my authentication system for any live site just yet, but my project is more of an ultimate php authentication learning experience. I want it to be perfect if the need should arise, and I'm wondering about how the more qualified php user would handle this.

 

My code shouldn't matter, which is why I haven't included it, but I've been asking around to see if other qualified php programmers and ethical hacker types would like to participate in making/perfecting the authentication system, and then distributing it as free/open source. Let me know if you are interested in seeing what I have. It's too much to post, so I'd send it via email.