Jump to content

dreamweaver login code :: regenerate session id

stijn0713

By stijn0713
in PHP Coding Help

 Share

Recommended Posts

stijn0713 Regular Member

stijn0713

Posted
Posted

in dreamweaver login code, it regerates the session id before heading to the requested page. Why would one do that?

 


if ($loginFoundUser) {


			if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} 
			else {session_regenerate_id();}

if (isset($_SESSION['PrevUrl'])) {
			  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
			}
			header("Location: " . $MM_redirectLoginSuccess );
		  }
		  else {
			header("Location: ". $MM_redirectLoginFailed );
		  }

 

What is the security benefit?

Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

I'd say that going from a unlogged user to a registered user is a privilege escalation, and as such session ID regeneration should always be utilized in a login script. If not it would be rather trivial to hijack the account, fetch email addresses, or whatever else is associated with the account.

 

Also, the above script is not quite correct, as it's lacking a die () after the header redirects. It's necessary to kill the script after sending such a header, to prevent the PHP parser from parsing the rest of the code. Something that can cause problems and/or post a security risk.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Oh, I thought it was being changed on each request. Yes, it's to prevent fixation. It's pretty much an attacker tricking a victim into generating an ID he's crafted. Once the login happens, the attacker can then just access the restricted pages using the same session ID containing the victim's credentials. By regenerating the ID, you're destroying the crafted ID.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.