Does session_regenerate_id () without the parameter capable of improving security?
I want to decrease session fixation attack vulnerability, hence I used session_regenerate_id() before login. Somehow I'm in dark now and not sure the right answer for questions below:
When we don't set the function parameter to TRUE then old files won't be deleted. Is this at all secure when we have access to old sessions? Can an attacker use old sessions to fixate sessions?
Should I use the function before login?
Should I set the parameter to true?
The solution to avoid the session fixation is simply changing session ID.
bool session_regenerate_id([bool $delOldSession = false]) will replace the current session id with a new one, and keep the current session information. Adding parameter true: session_regenerate_id(true) deletes old session. If you don't delete old sessions, then your web-application is vulnerable to session hijacking. You leave old, but still valid sessions inside the /tmp directory. This means:
on the shared web-hosting servers some people could still have access to themĀ you give more chance to guess any of your valid session ID
You should always destroy old sessions with session_regenerate_id(true) or session_destroy().However, you should be aware of session_regenerate_id(true) performance. The bare minimum is to use it, when you change user's privileges (like login, logout). When you use it too often, you will notice "strange" things with your sessions. PHP has restrictions on access to the session for only one running task. Multiple requests get into the queue. If you send requests to fast, then: The first request changes session ID and deletes the old session. The second request (still) has the old session ID and it tries to do some operations on it. As this old session ID doesn't exist, the new session is being created - which leads to user logout.