require() && regenerate_session_id() && HTTP cookies

[objnoob]

Greetings,

 

I threw together a log in script that uses regenerate_session_id to help prevent session hijacking.

 

The script has 2 basic parts: authentication and session validation

 

Session Validation is a script that is set-a-top of other php scripts using a require_once call. It validates the token and session, and it will regenerate a session id if need be.

 

What I've noticed when loading a page, is when a user has been validated (session id and token id) AND a new session id has been generated, if the client aborts while PHP is processing the rest of script, the session becomes invalid and the user must re log in.

 

I believe what is happening is the server-side has been updated with the newly generated session but the client hasn't gotten the updated cookie thus creating a mismatch at time of next session and token validation. Does this make any sense?

 

Possible Fix: If session id regeneration is required, conditionally register a shutdown function that will initiate the regeneration of session id. This will ensure the initial PHP processing has completed, and a less intensive block of code can regenerate the id. This closes the client-abortion while processing window substantially

 

I'm looking for some advice on possible solutions and problems.

 

Thanks!  :]

[objnoob]

I get this error, trying approach mentioned above. I may be able to buffer output.

 

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot send session cookie - headers already sent by (output started at /var/www/?:483) in /var/www/? on line 77

[requinix]

Call session_write_close as soon as you're done with the session stuff.