Should I regenerate_session_id on every page?

Question

I am trying to add more security to my user authentication sessions. When the user login I regenerate_session_id but I would like your answer on if I rege

Answer 1

You may use session_regenerate_id to prevent session fixation attacks, in which the attacker learns the session ID of a given user then "hijacks" that session ID to act in place of the user.

However, care must be taken. For one, you have to consider asynchronous requests. If you have many concurrent requests coming from a user, you'll want to avoid a situation where one script is using session data when another tries to regenerate - one script is using data that the other is trying to destroy.

Also, this does add overhead. Regenerating every request is probably an overkill. Instead, try keeping a request counter; every 10 requests (or so, arbitrary selection), regenerate the ID.

Be sure to pass the argument as true - you don't want or need the old session data sitting around (keeping in mind, still, concurrent requests). See the (docs) for more information.

All that said - this mechanism is a sort of "micro-enhancement" that will give you more false sense of security than actual security. Session-fixation attacks are not very common, especially if you're already taking other measures to bolster security. Nothing can replace, for example, using HTTPS for secure connection; nothing can replace password complexity requirements.

Answer 2

It may make things more secure but it also introduces problems (e.g. when the user opens more than one tab/window of your page in his browser and navigates on them in parallel). In my opinion it is better to use cookies for the sessions. Though, you could use session_regenerate_id() anyway as it works on cookies, too.

Additionally, you should also check whether the user is still allowed to visit that page. He/she may have been banned but with your current setup he/she would still be able to visit your pages.