tsangaris Posted November 16, 2014 Share Posted November 16, 2014 I am reading about sessions and i want to clear something out: When do we save the values into the SESSION? Before using session_regenerate_id(true) or after? The code below is saving the value to SESSION after using session_regenerate_id(true): session_start(); //accept data from a form (for example $email and $password)and process them //if the credentials are correct session_regenerate_id(true); $_SESSION['email'] = $email; $_SESSION['logged_in'] = 'TRUE'; header('Location:welcome.php'); exit(); Also, if the above code is the correct approach, what will happen if i save the values to SESSION and then regenerate the id? Is it going to change something? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/292497-session-id-and-regeneration/ Share on other sites More sharing options...
requinix Posted November 16, 2014 Share Posted November 16, 2014 When do we save the values into the SESSION? Before using session_regenerate_id(true) or after?Doesn't matter because session_regenerate_id() doesn't delete the data. Also, if the above code is the correct approach, what will happen if i save the values to SESSION and then regenerate the id? Is it going to change something?It's going to change the session ID, which is the entire point of session_regenerate_id(), but the data stays the same. Quote Link to comment https://forums.phpfreaks.com/topic/292497-session-id-and-regeneration/#findComment-1496713 Share on other sites More sharing options...
tsangaris Posted November 16, 2014 Author Share Posted November 16, 2014 So in the SESSION array will only change the part SESSION['id'] but the rest of the data SESSION['email'] and SESSION['logged_in'] will stay the same? Quote Link to comment https://forums.phpfreaks.com/topic/292497-session-id-and-regeneration/#findComment-1496714 Share on other sites More sharing options...
requinix Posted November 16, 2014 Share Posted November 16, 2014 Everything in $_SESSION stays the same. Quote Link to comment https://forums.phpfreaks.com/topic/292497-session-id-and-regeneration/#findComment-1496766 Share on other sites More sharing options...
Jacques1 Posted November 18, 2014 Share Posted November 18, 2014 (edited) The above code is insecure. When you call session_start(), then PHP will either start a new session or resume an existing session. So you may very well run into an old session which is already filled with other data. If you just use that, you'll easily run into trouble. For example, the old session may have contained special permissions which are suddenly transferred to the user who has just logged in. One might also imagine a scenario where an attacker starts a session, fills it with data and then plants it on the victim. This way the attacker controls the content of the victim's session. So it's not enough to generate a fresh ID. You also have to delete all content to make sure you actually get a fresh session with no previous data: <?php session_start(); // generate a fresh ID and delete the current session if (session_regenerate_id(true)) { // clear any previous session content $_SESSION = array(); // write the new data to the session $_SESSION['email'] = $email; } I strongly recommend that you regenerate the ID before you write any data to the session. The old ID may be known by an attacker, and if the session_regenerate_id() call somehow fails or isn't called, then you end up writing all data to the attacker's session -- which is a classical session fixation attack. By the way, the logged_in parameter is superfluous, because you just have to check the presence of the email parameter to find out whether or now the user is logged in. Edited November 18, 2014 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/292497-session-id-and-regeneration/#findComment-1496891 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.