Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

With regards to session_regenerate_id(), as Gordon pointed out on a  
previous post, the parameter to delete the old session was not added  
until PHP 5.1.0.  I am running the 4.3 series, and am trying to manually  
delete my old session as I am calling session_regenerate_id() on every  
user request.

I do not want PHP's garbage collection script to run every time as that  
would obviously be a huge performance hit, and I checked in my session  
data folder and noticed that indeed the function does create a new  
session file for each request.

However, every time I regenerate the ID, I am storing the session array  
in a temp var, then killing the old session and the associated cookie,  
and then reassigning the session array to the new session.  As a result,  
all of the previous session files become empty (0 Kb) and only the  
newest session has the data.

My question is even though there are technically many more valid  
sessions with this method, does it matter?  I know an attacker could  
hijack one of these sessions, but as far as I understand it, wouldn't it  
be useless since there is no info in there?  I have found conflicting  
reports online so I am not sure if I am overlooking any vulnerabilities  
with this model.

Thanks in advance!

Re: session_regenerate_id()

Quoted text here. Click to load it

It depends on your code.

Quoted text here. Click to load it

If the user comes to your page with an existing but empty session,
do you assume he's logged in?  If so, you're in big trouble.  What
is that user allowed to do?  If every page seeing such a session
redirects the user to the login page, you're probably OK.

Quoted text here. Click to load it

                        Gordon L. Burditt

Re: session_regenerate_id()

Marcus wrote:
Quoted text here. Click to load it

Do you realize that this stops users from using multiple tabs/windows to  
browse your website?

Nicholas Sherlock

Re: session_regenerate_id()

Kimmo Laine wrote:
Quoted text here. Click to load it

Unless next_page.php generates PHP, the script with this include will
only get HTML.

Quoted text here. Click to load it


    if (isset($_GET['foo'])) {
      echo '<?php echo $_GET[\'foo\']; ?>';
    } else {
      echo '<?php echo \'Not available\'; ?>';

File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

Site Timeline