Reputation: 8727
Will session id be re-generated automatically from time to time?
When calling session_start() for the first time, a new session will be generated. Later, when session_start is called again, the session will be resumed using the session id in the cookie (or from GET/POST request if session.use_trans_sid is turned on on the server) sent by the client.
For enhanced security, a new session id can be re-generated for the user from time to time, even when he/she has not logout/login again.
Does this behavior happen automatically, meaning that this is the default setting on most web servers? Or it requires manual coding?
Upvotes: 1
Views: 240
Answers (1)
Reputation: 78731
It does not happen automatically.
You have to use session_regenerate_id().
session_regenerate_id() will replace the current session id with a new one, and keep the current session information.
It is a good practice that you change the session id at least every time the user's privilege level changes (simplest example being when he logs in).
Upvotes: 2
Related Questions
- PHP Session ID changing on every request
- when does session id changes?
- How often does a PHP session ID change per user?
- can not understand regenerating session id
- Reason to Randomly Regenerate Session ID?
- When should the session ID be regenerated?
- Is regenerating the session ID after successful login sufficient to prevent session fixation?
- session id value changes
- Why does session ID persist across sessions in PHP?
- is my session id generated before login?