1
Guys I met this function recently, I know it generates another random id for the session, but my question is the following, can I use this function only once in case after logging in, and in the other pages I no longer need to use ? will already be "safe" my session ?
1
According to the PHP documentation on Sessions and security:
Executing the session_regenerate_id() function could result in Dos attack, in the same way as use_strict_mode=On. However, Dos is still better than an exposed account. Session ID must be renewed at least when the user authenticates. Renewing the session ID reduces the risk of stealing session ID, so it should be run periodically. The developer should not depend on the expiration of the session ID. Attackers can access the victim’s session ID periodically to prevent it from expiring. Developers must implement their own expiration means for older sessions.
See what the text says: for once, it doesn’t mean you can’t do every page.
You should analyze the situation you are using and the time your sections stay open.
For example: in a system I maintain, where sections remain for a long time, I call the method session_regenerate_id() every time a PHP script is called.
In other situations, you can set use in authentication.
may not be the best alternative, but in this case I intend to generate a new session every hour, or even every 24 hours, you find plausible ?
@Otaviofagundes, why every 24 hours? A user will stay so long? In this case, wouldn’t it be enough to do this on login? I have applications running for about 4 years with the regenerate along with session_start on all pages. Works smoothly.
The guy above said, "If you keep changing the ID, the user himself may have a problem with several open tabs etc", this ended up leaving me a little confused
@Otaviofagundes, recommend you implement and test. I use several tabs of the same system without problems, and in addition, other tabs with other systems on the same server and all without any problem.
I’ll do the same way you use, thank you!
Consider using HTTPS as exposed by Bacco. HTTPS is very important for security.
yes I will use, but I will use generate to treat the session as well
Browser other questions tagged php session security-guard
You are not signed in. Login or sign up in order to post.
the purpose is to prevent session theft
– Otavio Fagundes
I find a kind of silly way to avoid session theft. To "steal" the session, first you need to traffic without HTTPS, and someone is monitoring. If you keep changing the ID, the user himself may have problems with several open tabs etc - I find it more interesting to do a separate control. But any more serious application will use HTTPS, and it makes no sense to generate new ID that way. I find it more interesting if you use this to renew session, for example, to avoid timeout because of the cookie. If the person has the technology to steal the old ID, he sees the new passing the same way.
– Bacco