fluvly Posted November 1, 2009 Share Posted November 1, 2009 I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that? When should I use it in the script, just after a user has logged in? And should I set the optional parameter to TRUE or FALSE? Thanks for any help! Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted November 1, 2009 Share Posted November 1, 2009 I read somewhere that using session_regenerate_id can help the security of the website. Is that true? How does it do that? In terms of security it can help foil session fixation attacks. If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases. When should I use it in the script, just after a user has logged in? Doing it right after login would be pointless. You should do it every X requests. And should I set the optional parameter to TRUE or FALSE? I suppose that depends on what you want to use the function for. Did you read what it does? Quote Link to comment Share on other sites More sharing options...
fluvly Posted November 1, 2009 Author Share Posted November 1, 2009 Thank you for the answer. Doing it right after login would be pointless. You should do it every X requests. Is there a function that tracks the session requests? I suppose that depends on what you want to use the function for. Did you read what it does? I did read what it does, if set to TRUE it deletes the old session file. If I use session_regenerate_id just for security purposes, would it make sense to keep the old session file, or would it be pointless? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted November 1, 2009 Share Posted November 1, 2009 Doing it right after login would be pointless. You should do it every X requests. Is there a function that tracks the session requests? You can just do like this: if (++$_SESSION['lastRegeneration'] > 10) { $_SESSION['lastRegeneration'] = 0; session_regenerate_id(); } That should regenerate it every 10 requests. I suppose that depends on what you want to use the function for. Did you read what it does? I did read what it does, if set to TRUE it deletes the old session file. If I use session_regenerate_id just for security purposes, would it make sense to keep the old session file, or would it be pointless? If you delete it, you lose all information about the user. Effectively this would log the user out. Quote Link to comment Share on other sites More sharing options...
shashankraj Posted May 16, 2014 Share Posted May 16, 2014 Hi Daniel, When I use true as parameter then previous cookie value is disregarded and user is asked to login as session is not valid for old cookie value (session id). If I use false as paramenter then I can use any of the previous cookie value (session id) to login to the system. In this scenario both users (actual authenticated user and hacker) can use the system at same time and their requests are considered valid. Then what is the use/significance of this function(session_regenerate_id) with parameter false? Please correct me if I am wrong or explain the significance of the function with parameter false. . Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 16, 2014 Share Posted May 16, 2014 Why do you dig out a thread from 2009? It might also be helpful to read the manual. Questions like this are exactly why it exists. No, the parameter has nothing to do with cookies. It tells PHP whether or not the old session file should be deleted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.