Should I regenerate_session_id on every page?

Question

I am trying to add more security to my user authentication sessions. When the user login I regenerate_session_id but I would like your answer on if I rege

Answer 1

It may make things more secure but it also introduces problems (e.g. when the user opens more than one tab/window of your page in his browser and navigates on them in parallel). In my opinion it is better to use cookies for the sessions. Though, you could use session_regenerate_id() anyway as it works on cookies, too.

Additionally, you should also check whether the user is still allowed to visit that page. He/she may have been banned but with your current setup he/she would still be able to visit your pages.