regenerating session id

Question

I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request

if(!empty($_sessio         


        

Answer 1

Best practise is to use SSL (and apply the usual defences against other security attack vectors such as XSS and SQL injection). Cycling session ids is just begging for race conditions.

Answer 2

I had problems indeed (on page refresh or inside ajax requests), using session_regenerate_id(true); on each request.

But not with session_regenerate_id();

So, according to

Renew the Session ID After Any Privilege Level Change https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change

Regenerate SID on each request http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request

i use

• session_regenerate_id(); on each request
• session_regenerate_id(true); on login, logout etc (any privilege level change)

Answer 3

However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.

Well, I guess you have to try it out to confirm that, but I don't think you'll ever experience that problem.

Anyway, regenerating the session for every pageload doesn't secure you completely from session hijacking and uses resources that are better spent somewhere else. A better place to start would be looking at SSL. Encrypting the data between the client and the webserver is more secure.

I personally only regenerate a session id when a user logs in AND when a user logs out of my applications.

Answer 4

Calling session_regenerate_id on every page is an unnescessary overhead.

You should only be calling it at the point of login or any time you re-authorize a user.

If you want additionally you could store the last regenerated time in a session and then call session_regenerate_id after say 30 minutes, but there's definetly no need for this to be done on every page.

Answer 5

Instead of generating session IDs,why don't you encrypt and use the already generated one.It can be used and destroyed when the intended action is complete.