Jump to content

Session ID and regeneration

tsangaris

By tsangaris
in PHP Coding Help

 Share

Recommended Posts

tsangaris Member

tsangaris

Posted
Posted

I am reading about sessions and i want to clear something out:

 

When do we save the values into the SESSION? Before using session_regenerate_id(true) or after?

 

The code below is saving the value to SESSION after using session_regenerate_id(true):

 

session_start();

 

//accept data from a form (for example $email and $password)and process them

 

//if the credentials are correct

session_regenerate_id(true);

 

$_SESSION['email'] = $email;

$_SESSION['logged_in'] = 'TRUE';

 

header('Location:welcome.php');

exit();

 

Also, if the above code is the correct approach, what will happen if i save the values to SESSION and then regenerate the id? Is it going to change something?

 

Thanks

 

 

 

 

Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

When do we save the values into the SESSION? Before using session_regenerate_id(true) or after?

Doesn't matter because session_regenerate_id() doesn't delete the data.

 

Also, if the above code is the correct approach, what will happen if i save the values to SESSION and then regenerate the id? Is it going to change something?

It's going to change the session ID, which is the entire point of session_regenerate_id(), but the data stays the same.
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

The above code is insecure.

 

When you call session_start(), then PHP will either start a new session or resume an existing session. So you may very well run into an old session which is already filled with other data. If you just use that, you'll easily run into trouble. For example, the old session may have contained special permissions which are suddenly transferred to the user who has just logged in. One might also imagine a scenario where an attacker starts a session, fills it with data and then plants it on the victim. This way the attacker controls the content of the victim's session.

 

So it's not enough to generate a fresh ID. You also have to delete all content to make sure you actually get a fresh session with no previous data:

<?php

session_start();

// generate a fresh ID and delete the current session
if (session_regenerate_id(true))
{
    // clear any previous session content
    $_SESSION = array();

    // write the new data to the session
    $_SESSION['email'] = $email;
}

 

 

I strongly recommend that you regenerate the ID before you write any data to the session. The old ID may be known by an attacker, and if the session_regenerate_id() call somehow fails or isn't called, then you end up writing all data to the attacker's session -- which is a classical session fixation attack.

 

By the way, the logged_in parameter is superfluous, because you just have to check the presence of the email parameter to find out whether or now the user is logged in.

Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.