Reputation: 105
Is PHP's session_regenerate_id() collision free?
I currently working on a project in PHP (7.2). I call the session_regenerate_id() function on every request to prevent session hijacking attacks, (It is a small part in the whole process of detecting an hijacked session).
The question is the following: I expect to manage many sessions on my server, Should i check if the new session_id() value (after i called session_regenerate_id()) is used by another (existing) session? In other words: Is session_regenerate_id() collision free?
I know the function session_create_id is collision free when used in an active session (after session started), but the manual doesn't mention that about the session_regenerate_id function.
Any ideas / suggestions? Thank you.
Upvotes: 0
Views: 262
Answers (1)
Reputation: 12017
Yes. session_regenerate_id calls session_create_id so it's also collision free:
sid = php_session_create_id((void**)&data);
Upvotes: 2
Related Questions
- How unique is the php session id
- Multiple PHPSESSID collisions
- What causes session_regenerate_id(true) to return false?
- Using Session_regenerate_id()
- PHP Sessions and session_regenerate_id
- Check if regenerate_session_id() function actually works / Other security questions
- can not understand regenerating session id
- Does regenerating a session ID help prevent fixation, hijacking or both?
- Is regenerating the session ID after successful login sufficient to prevent session fixation?
- Why does session ID persist across sessions in PHP?