I recently met this function, I know that it generates another random id for the session, but my question is the following, I can use this function only once in the case after login, and in the other pages I do not need to use ? will my session be "safe"?
Do I need to use session_generate_id on all pages? [closed]
1
asked by anonymous 01.09.2016 / 22:08
1 answer
1
According to the PHP documentation on Sessions and security :
Running the session_regenerate_id () function could result in DoS attack, in the same way as use_strict_mode = On. However, DoS is still better than an exposed account. Session ID must be renewed at least when the user authenticates. Renaming the session ID reduces the risk of session ID theft, so it must be run periodically. The developer should not depend on the expiration of the session ID. Attackers can access the victim's session ID periodically to prevent it from expiring. Developers should implement their own means of expiration for old sessions.
See what the text says: at least once, it does not mean you can not do every page.
You should review the situation you are using and how long your sections are open.
For example: on a system that I maintain, where the sections remain for a long time, I call the session_regenerate_id() method every time a PHP script is invoked.
In other situations, you can set use for authentication.
01.09.2016 / 22:29