stijn0713 Posted September 3, 2012 Share Posted September 3, 2012 in dreamweaver login code, it regerates the session id before heading to the requested page. Why would one do that? if ($loginFoundUser) { if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} if (isset($_SESSION['PrevUrl'])) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } What is the security benefit? Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/ Share on other sites More sharing options...
xyph Posted September 3, 2012 Share Posted September 3, 2012 Prevents against session fixation. It's quite overkill, and only really NEEDS to be done when privileges are elevated. Nothing wrong with it though. Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/#findComment-1374889 Share on other sites More sharing options...
Christian F. Posted September 3, 2012 Share Posted September 3, 2012 I'd say that going from a unlogged user to a registered user is a privilege escalation, and as such session ID regeneration should always be utilized in a login script. If not it would be rather trivial to hijack the account, fetch email addresses, or whatever else is associated with the account. Also, the above script is not quite correct, as it's lacking a die () after the header redirects. It's necessary to kill the script after sending such a header, to prevent the PHP parser from parsing the rest of the code. Something that can cause problems and/or post a security risk. Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/#findComment-1374890 Share on other sites More sharing options...
stijn0713 Posted September 3, 2012 Author Share Posted September 3, 2012 i don't quite understand session hijacking or session fixation. Pages are restricted based on, say: if (!(isset($_SESSION['Valid_user']))) { header("Location: ". login.php); } What can i do with the SID then? Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/#findComment-1374895 Share on other sites More sharing options...
Christian F. Posted September 3, 2012 Share Posted September 3, 2012 Then you need to search the web for articles explaining how sessions work, and what session fixation and hijacking is. Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/#findComment-1374907 Share on other sites More sharing options...
xyph Posted September 4, 2012 Share Posted September 4, 2012 Oh, I thought it was being changed on each request. Yes, it's to prevent fixation. It's pretty much an attacker tricking a victim into generating an ID he's crafted. Once the login happens, the attacker can then just access the restricted pages using the same session ID containing the victim's credentials. By regenerating the ID, you're destroying the crafted ID. Quote Link to comment https://forums.phpfreaks.com/topic/267950-dreamweaver-login-code-regenerate-session-id/#findComment-1375013 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.