Reputation: 3
Using Session_regenerate_id()
Why is it always recommended that session_regenerate_id() should be used before the user's session is created. As per my perception, session_regenerate_id() should be used once the user session id is created, and we need to re-generate it so as to mitigate the session fixation attack by the hacker.
Please suggest!!
Upvotes: 0
Views: 414
Answers (2)
Reputation: 83
From everything I have read the session_start() has to be called before anything else. The main idea is to create a new id each time so that if a hacker is on the same network, they will not have a static id to use to gain entry to your site. A good explanation of how this is done.
and here is an excellent answer that goes into more detail than the video:
https://stackoverflow.com/a/37492488/2654453
Upvotes: 0
Reputation: 3855
I'm not sure where you've gotten recommendation from, but the session_regenerate_id manual shows it being used after session_start, so your assumptions would be correct.
Upvotes: 1
Related Questions
- Is PHP's session_regenerate_id() collision free?
- What causes session_regenerate_id(true) to return false?
- PHP Sessions and session_regenerate_id
- PHP session_id regenerated on refresh
- Check if regenerate_session_id() function actually works / Other security questions
- Explanation for session_regenerate_id() proper usage
- can not understand regenerating session id
- Reason to Randomly Regenerate Session ID?
- regenerating session id
- Is regenerating the session ID after successful login sufficient to prevent session fixation?