Close session and start a new one

Question

I\'m testing the implementation of a security check in my PHP sessions. I can successfuly detect whether the session was started from another IP address and I can successful

Answer 1

session_destroy will destroy session data. For example,

session_start();
$_SESSION["test"] = "test";
session_write_close();
session_start();
// now session is write to the session file
// call session_destroy() will destroy all session data in the file.
session_destroy();
// However the you can still access to $_SESSION here
print_r($_SESSION);
// But once you start the session again
session_start();
// all session data is gone as the session file is now empty
print_r($_SESSION);

will output

array([test] => "test")array()

Answer 2

Use this

unset($_SESSION['ip_address'])

instead of 'unset($_session)' You can also use session_destroy.

Answer 3

when a new user connects to your server, the script should only be able to access that user's session variables. you will want to store other info in a hashed session variable to verify that the session is not being jacked. if it is being jacked, no reason to start a new session, maybe just exit the script with a warning.

here is the function a lot of people use for fingerprinting a session:

function fingerprint() {
    $fingerprint = $server_secure_word;
    $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
    $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
    for ($i=0; $i<$ip_blocks; $i++) {
        $fingerprint .= $blocks[$i] . '.';
    }
    return md5($fingerprint);
}

Answer 4

Just call session_unset after session_regenerate_id to reset $_SESSION for the current session:

if (isset($_SESSION['ip_address']) && $_SERVER['REMOTE_ADDR']!=$_SESSION['ip_address']) {
    // Check failed: we'll start a brand new session
    session_regenerate_id(FALSE);
    session_unset();
}