session_regenerate_id()

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Marcus
    #1

    session_regenerate_id()

    Hello,

    With regards to session_regener ate_id(), as Gordon pointed out on a
    previous post, the parameter to delete the old session was not added
    until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
    delete my old session as I am calling session_regener ate_id() on every
    user request.

    I do not want PHP's garbage collection script to run every time as that
    would obviously be a huge performance hit, and I checked in my session
    data folder and noticed that indeed the function does create a new
    session file for each request.

    However, every time I regenerate the ID, I am storing the session array
    in a temp var, then killing the old session and the associated cookie,
    and then reassigning the session array to the new session. As a result,
    all of the previous session files become empty (0 Kb) and only the
    newest session has the data.

    My question is even though there are technically many more valid
    sessions with this method, does it matter? I know an attacker could
    hijack one of these sessions, but as far as I understand it, wouldn't it
    be useless since there is no info in there? I have found conflicting
    reports online so I am not sure if I am overlooking any vulnerabilities
    with this model.

    Thanks in advance!
    Tags: None
    • Gordon Burditt
      #2
      Re: session_regener ate_id()

      >With regards to session_regener ate_id(), as Gordon pointed out on a[color=blue]
      >previous post, the parameter to delete the old session was not added
      >until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
      >delete my old session as I am calling session_regener ate_id() on every
      >user request.
      >
      >I do not want PHP's garbage collection script to run every time as that
      >would obviously be a huge performance hit, and I checked in my session
      >data folder and noticed that indeed the function does create a new
      >session file for each request.
      >
      >However, every time I regenerate the ID, I am storing the session array
      >in a temp var, then killing the old session and the associated cookie,
      >and then reassigning the session array to the new session. As a result,
      >all of the previous session files become empty (0 Kb) and only the
      >newest session has the data.
      >
      >My question is even though there are technically many more valid
      >sessions with this method, does it matter?[/color]

      It depends on your code.
      [color=blue]
      >I know an attacker could
      >hijack one of these sessions, but as far as I understand it, wouldn't it
      >be useless since there is no info in there?[/color]

      If the user comes to your page with an existing but empty session,
      do you assume he's logged in? If so, you're in big trouble. What
      is that user allowed to do? If every page seeing such a session
      redirects the user to the login page, you're probably OK.
      [color=blue]
      >I have found conflicting
      >reports online so I am not sure if I am overlooking any vulnerabilities
      >with this model.[/color]

      Gordon L. Burditt

        Comment

        • Nicholas Sherlock
          #3
          Re: session_regener ate_id()

          Marcus wrote:[color=blue]
          > With regards to session_regener ate_id(), as Gordon pointed out on a
          > previous post, the parameter to delete the old session was not added
          > until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
          > delete my old session as I am calling session_regener ate_id() on every
          > user request.[/color]

          Do you realize that this stops users from using multiple tabs/windows to
          browse your website?

          Cheers,
          Nicholas Sherlock

            Comment

            • R. Rajesh Jeba Anbiah
              #4
              Re: session_regener ate_id()

              Nicholas Sherlock wrote:[color=blue]
              > Marcus wrote:[/color]
              <snip>[color=blue][color=green]
              > > I am running the 4.3 series, and am trying to manually
              > > delete my old session as I am calling session_regener ate_id() on every
              > > user request.[/color]
              >
              > Do you realize that this stops users from using multiple tabs/windows to
              > browse your website?[/color]

              That is the *real* use of session_regener ate_id(), especially to
              avoid back button.


              --
              <?php echo 'Just another PHP saint'; ?>
              Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

                Comment

                Previous template Next
                Working...