Regenerate PHP session id
One of my most popular posts is one from 2005 about regenerating session id's in PHP.
Because of this I thought it was about time I wrote an updated post about this topic.
Why should I regenerate the session ID?
One reason. To prevent session hijacking.
Session hijacking is when a hacker get to know a user's session ID, and uses it to pretend he is that user.
When should I regenerate the session ID?
A general rule of thumb is to generate the session ID each time a user changes his access level.
- When a user log in
- When a user log out
- When a user get administrative access
You could also choose to give the user a new ID once in a while, just to play safe.
How?
Easy, at least if you have PHP 5.1.0 or greater.
Then you can just do this:
session_start(); session_regenerate_id(true);
It it important to supply the session_regenerate_id() function with the true argument, in order to destroy the old session ID.
If you use a older PHP version that does not support this (<5.1.0), you should do something like this:
session_start(); $tmp = $_SESSION; session_destroy(); session_start(); $_SESSION = $tmp;
That's it. Easy.
Search
Archive
- December 2011 (5)
- August 2011 (1)
- July 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (1)
- August 2009 (3)
- January 2009 (3)
- December 2008 (3)
- September 2008 (1)
User login
