regenerating session id

php security session

16,831

Solution 1

Instead of generating session IDs,why don't you encrypt and use the already generated one.It can be used and destroyed when the intended action is complete.

Solution 2

Calling session_regenerate_id on every page is an unnescessary overhead.

You should only be calling it at the point of login or any time you re-authorize a user.

If you want additionally you could store the last regenerated time in a session and then call session_regenerate_id after say 30 minutes, but there's definetly no need for this to be done on every page.

Solution 3

I had problems indeed (on page refresh or inside ajax requests), using session_regenerate_id(true); on each request.

But not with session_regenerate_id();

So, according to

Renew the Session ID After Any Privilege Level Change https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change

Regenerate SID on each request http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request

i use

session_regenerate_id(); on each request
session_regenerate_id(true); on login, logout etc (any privilege level change)

Solution 4

Best practise is to use SSL (and apply the usual defences against other security attack vectors such as XSS and SQL injection). Cycling session ids is just begging for race conditions.

Solution 5

However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.

Well, I guess you have to try it out to confirm that, but I don't think you'll ever experience that problem.

Anyway, regenerating the session for every pageload doesn't secure you completely from session hijacking and uses resources that are better spent somewhere else. A better place to start would be looking at SSL. Encrypting the data between the client and the webserver is more secure.

I personally only regenerate a session id when a user logs in AND when a user logs out of my applications.

View more solutions

16,831

Author by

Dmitry Makovetskiyd

Updated on June 07, 2022

Comments

Dmitry Makovetskiyd about 2 years
I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request
```
if(!empty($_session)){ 
   session_start(); 
}
```
Another way to achieve so would be to do this:
```
if(!empty($_session)){ 
  session_regenerate_id(true);
}
```
However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.

Another way to use the session id is to have more control over how a session is generated.

There are other ways to achieve so.. Whats the best practice?
CodeCaster over 12 years

SSL won't protect you from harvested cookies through, say, XSS.
Cheruiyot Felix over 12 years

The best case is to regenerate the id only ones.at the point of entry(login) only.
Dmitry Makovetskiyd over 12 years

"I am familiar with ssl, but I dont want to buy it from my webhost
Dmitry Makovetskiyd over 12 years

how do I do that? how do I get the session id.. I have an encrypting function that works, and I could decrypt it. I am not concerned about speed..Is this the way to do it: session_id($newSession); and then when I decrypt it, how do I save the old session id..? in the database?
Quentin over 12 years

@Dmitry — Cheap or secure, pick one.
Cheruiyot Felix over 12 years

session_start();session_regenerate_id(true); $_SESSION['user_session']=session_id(); $user_session=$_SESSION['user_session'];//Try pass $user_session for encryption.You can echo it first for test
Dmitry Makovetskiyd over 12 years

well, I am developing a political forum, I will go for the cheap option, why do I care?
Dmitry Makovetskiyd over 12 years

why to regenerate the session whenever the user logs into the the webpage
Cheruiyot Felix over 12 years

After use remember to unset the session unset($_SESSION);You might also consider destroying it if you don't need it any more. session_destroy();
Repox over 12 years

I like the idea that whenever my user enters or leaves something I restricted to others, they start a new session. I have no technical arguments as to why.
Dmitry Makovetskiyd over 12 years

okay, I got it, I need to put the session id into the database, then I need to encrypt the session id, and dycrypt it when I want to compare it with the value of the database. Is that the way to do it?
Cheruiyot Felix over 12 years

Yes can do that and alternatively you can just hold the session in the browser cookies as they are. Check this site it might be of great help zimuel.it/en/encrypt-php-session-data
Repox over 12 years

It hasn't been an issue for me - I can't deny it can happen, as many people warns about it, but I havent experinced it (yet).
Calmarius over 10 years

Isn't session_regenerate_id(FALSE) litter the server with session files?