Hello,
With regards to session_regenerate_id(), as Gordon pointed out on a
previous post, the parameter to delete the old session was not added
until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
delete my old session as I am calling session_regenerate_id() on every
user request.
I do not want PHP's garbage collection script to run every time as that
would obviously be a huge performance hit, and I checked in my session
data folder and noticed that indeed the function does create a new
session file for each request.
However, every time I regenerate the ID, I am storing the session array
in a temp var, then killing the old session and the associated cookie,
and then reassigning the session array to the new session. As a result,
all of the previous session files become empty (0 Kb) and only the
newest session has the data.
My question is even though there are technically many more valid
sessions with this method, does it matter? I know an attacker could
hijack one of these sessions, but as far as I understand it, wouldn't it
be useless since there is no info in there? I have found conflicting
reports online so I am not sure if I am overlooking any vulnerabilities
with this model.
Thanks in advance!
3  2467 
>With regards to session_regenerate_id(), as Gordon pointed out on a previous post, the parameter to delete the old session was not added
until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
delete my old session as I am calling session_regenerate_id() on every
user request.
I do not want PHP's garbage collection script to run every time as that
would obviously be a huge performance hit, and I checked in my session
data folder and noticed that indeed the function does create a new
session file for each request.
However, every time I regenerate the ID, I am storing the session array
in a temp var, then killing the old session and the associated cookie,
and then reassigning the session array to the new session. As a result,
all of the previous session files become empty (0 Kb) and only the
newest session has the data.
My question is even though there are technically many more valid
sessions with this method, does it matter?
It depends on your code.
I know an attacker could
hijack one of these sessions, but as far as I understand it, wouldn't it
be useless since there is no info in there?
If the user comes to your page with an existing but empty session,
do you assume he's logged in? If so, you're in big trouble. What
is that user allowed to do? If every page seeing such a session
redirects the user to the login page, you're probably OK.
I have found conflicting
reports online so I am not sure if I am overlooking any vulnerabilities
with this model.
Gordon L. Burditt
Marcus wrote: With regards to session_regenerate_id(), as Gordon pointed out on a
previous post, the parameter to delete the old session was not added
until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
delete my old session as I am calling session_regenerate_id() on every
user request.
Do you realize that this stops users from using multiple tabs/windows to
browse your website?
Cheers,
Nicholas Sherlock
Nicholas Sherlock wrote: Marcus wrote:
<snip> I am running the 4.3 series, and am trying to manually
delete my old session as I am calling session_regenerate_id() on every
user request.
Do you realize that this stops users from using multiple tabs/windows to
browse your website?
That is the *real* use of session_regenerate_id(), especially to
avoid back button.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Margaret MacDonald |
last post by:
I'm having a funny problem. More than likely it's something simple
that I'm just not seeing, but ...I'm not seeing it!
I'm storing session data in a table, following the model in Lerdorf &...
|
by: Derek Fountain |
last post by:
I have a script that has confirmed a user's login credentials and wants to
move onward. I want to regenerate the session ID, so I have code something
like this:
$_SESSION = array(); //...
|
by: Lolo |
last post by:
I am working on a webbased application (not a website) and from a page
a new instance of the browser is started (using javascript) offering a
different set of functionalities. What I want is that...
|
by: Marcus |
last post by:
Hello,
Currently all of my php pages use SSL, not just my initial login.
Originally I thought this would be more secure, but after thinking about
things and looking at sites like Amazon and...
|
by: Tom |
last post by:
I hope someone can help me figure out what's going on here. I've
re-read the section on sessions at php.net and Googled this high and
low but I haven't found anything that quite explains my...
|
by: danxavier |
last post by:
I'm pulling hair out of my bald head trying to figure out how to set up a form box within this fairly simple PHP script, (this script works fine), that allows a user to enter their email address, and...
|
by: frizzle |
last post by:
Hi there,
I need a function to prevent a page from being loaded too often too
fast.
So say, one is only allowed to refresh a single page 5 times in 10
seconds, or 10 times in 5 seconds (or...
|
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them...
|
by: bilibytes |
last post by:
hi,
i am making a website with php OOP.
i have a class called session:
it has the attribues
-logged_in;
-user_name;
-user_ip;
-user_level;
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
