Jump to content

When and why should I use session_regenerate_id?

fluvly

By fluvly
in PHP Coding Help

 Share

Recommended Posts

fluvly Newbie

fluvly

Posted
Posted

I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?

 

When should I use it in the script, just after a user has logged in?

 

And should I set the optional parameter to TRUE or FALSE?

 

Thanks for any help!

Daniel0 Advanced Member

Daniel0

Posted
Posted

I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that?

 

In terms of security it can help foil session fixation attacks. If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases.

 

When should I use it in the script, just after a user has logged in?

 

Doing it right after login would be pointless. You should do it every X requests.

 

And should I set the optional parameter to TRUE or FALSE?

 

I suppose that depends on what you want to use the function for. Did you read what it does?

fluvly Newbie

fluvly

Posted
  • Author
Posted

Thank you for the answer.

 

Doing it right after login would be pointless. You should do it every X requests.

 

Is there a function that tracks the session requests?

 

I suppose that depends on what you want to use the function for. Did you read what it does?

 

I did read what it does, if set to TRUE it deletes the old session file. If I use session_regenerate_id just for security purposes, would it make sense to keep the old session file, or would it be pointless?

Daniel0 Advanced Member

Daniel0

Posted
Posted

Doing it right after login would be pointless. You should do it every X requests.

 

Is there a function that tracks the session requests?

 

You can just do like this:

 

if (++$_SESSION['lastRegeneration'] > 10) {
$_SESSION['lastRegeneration'] = 0;
session_regenerate_id();
}

 

That should regenerate it every 10 requests.

 

I suppose that depends on what you want to use the function for. Did you read what it does?

 

I did read what it does, if set to TRUE it deletes the old session file. If I use session_regenerate_id just for security purposes, would it make sense to keep the old session file, or would it be pointless?

 

If you delete it, you lose all information about the user. Effectively this would log the user out.

  • 4 years later...
shashankraj Newbie

shashankraj

Posted
Posted

Hi Daniel,

 

When I use true as parameter then previous cookie value is disregarded and user is asked to login as session is not valid for old cookie value (session id).

If I use false as paramenter then I can use any of the previous cookie value (session id) to login to the system. In this scenario both users (actual authenticated user and hacker) can use the system at same time and their requests are considered valid. Then what is the use/significance of this function(session_regenerate_id) with parameter false?

 

Please correct me if I am wrong or explain the significance of the function with parameter false.

 

.

 

Jacques1 Prolific Member

Jacques1

Posted
Posted

Why do you dig out a thread from 2009?

 

It might also be helpful to read the manual. Questions like this are exactly why it exists.

 

No, the parameter has nothing to do with cookies. It tells PHP whether or not the old session file should be deleted.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.