user1813383
Reputation: 35
Reason to Randomly Regenerate Session ID?
Is this good practice? I've never seen it done before but it works well so far.
if(mt_rand(1, 10) == 1) { # regenerate "randomly" on 10% of requests
session_regenerate_id();
}
Thanks. :)
Upvotes: 0
Views: 331
Answers (1)
Nick Rolando
Reputation: 26167
I think for whatever proper reason or context you would regenerate the session ID, you should do it every time, not just sometimes randomly (in your case a 10% basis). I don't see how doing it every time is bad practice (correct me if I'm wrong, I'd be curious as why). If someone has hacked a session, then regenerating the ID will cause "hacker" to lose their hacked session. If you only regenerate the ID 10% of the time, then there is a 90% chance they will still maintain their hacked session. No beuno.
Upvotes: 1
Related Questions
- What causes session_regenerate_id(true) to return false?
- Using Session_regenerate_id()
- PHP Session ID changing on every request
- PHP Sessions and session_regenerate_id
- PHP session_id regenerated on refresh
- New Session created on every page refresh
- can not understand regenerating session id
- PHP changes session ID on each request
- When should the session ID be regenerated?
- Why does session ID persist across sessions in PHP?