php Function Session_Regenerate_ID() - Function, Definition and Usage

Article about php function session_regenerate_id() - Function, Definition and Usage

Session handling is a way to make the data available across various pages of a web application. This is done using a unique ID which is passed from the server to the browser and then retrieved at every request from the same web page. This helps in minimizing the chances of Session hijacking. But one of the problems associated with this approach is that regenerating the session id at every request can cause unnecessary overhead as it requires the browser to send the new cookie with each request which may not always be possible.

This is why many developers use a function called session_regenerate_id() which replaces the current session id with a new one on each request without destroying any existing data. This can be used to avoid session fixation as well as to logout the user.

The problem is that this does not protect against session hijacking if the hacker has access to the cookies on the clients computer. In such cases the hacker can grab the old session id and hijack the existing web application. This is not very much different from stealing the passwords on a users computer.

So if you want to keep your site secure then it is better to regenerate the session id only when the level of authentication changes (such as when the user logs in or out). This will ensure that the hacker does not have access to the existing sessions. Also you need to make sure that your site uses SSL to prevent this type of hacking.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

session_regenerate_id example

if (null !== $lifetime && $lifetime != \ini_get('session.cookie_lifetime')) {
            $this->save();
            ini_set('session.cookie_lifetime', $lifetime);
            $this->start();
        }

        if ($destroy) {
            $this->metadataBag->stampNew();
        }

        return session_regenerate_id($destroy);
    }

    /** * @return void */
    public function save()
    {
        // Store a copy so we can restore the bags in case the session was not left empty         $session = $_SESSION;

        foreach ($this->bags as $bag) {
            
if (null !== $lifetime && $lifetime != \ini_get('session.cookie_lifetime')) {
            $this->save();
            ini_set('session.cookie_lifetime', $lifetime);
            $this->start();
        }

        if ($destroy) {
            $this->metadataBag->stampNew();
        }

        return session_regenerate_id($destroy);
    }

    /** * @return void */
    public function save()
    {
        // Store a copy so we can restore the bags in case the session was not left empty         $session = $_SESSION;

        foreach ($this->bags as $bag) {
            

    }

    /** * Regenerates the session ID. * * @param bool $destroy Should old session data be destroyed? */
    public function regenerate(bool $destroy = false)
    {
        $_SESSION['__ci_last_regenerate'] = Time::now()->getTimestamp();
        session_regenerate_id($destroy);

        $this->removeOldSessionCookie();
    }

    private function removeOldSessionCookie(): void
    {
        $response              = Services::response();
        $cookieStoreInResponse = $response->getCookieStore();

        if ($cookieStoreInResponse->has($this->config->cookieName)) {
            return;
        }
<?php
require __DIR__.'/common.inc';

session_set_save_handler(new TestSessionHandler('abc|i:123;'), false);
session_start();

session_regenerate_id(true);

ob_start(fn ($buffer) => str_replace(session_id(), 'random_session_id', $buffer));
Home | Imprint | This part of the site doesn't use cookies.