The solution to avoid the session fixation is simple changing session ID.
bool session_regenerate_id([bool $delOldSession = false])
will replace the current session id with a new one, and keep the current session information. Adding parameter true
: session_regenerate_id(true)
deletes old esssion. If you don't delete old sessions, then your web-application is vulnerable to session hijacking. You leave old, but still valid sessions inside the /tmp directory. This means:
- on the shared web-hosting servers some people could still have access to them
- you give more chance to guess any of your valid session ID
You should always destroy old sessions with session_regenerate_id(true)
or session_destroy()
.
However, you should be aware of session_regenerate_id(true)
performance. The bare minimum is to use it, when you change user's priviledges (like login, logout). When you use it too often, you will notice "strange" things with your sessions. PHP has restriction in access to the session for only one running task. Multiple requests get into queue. If you send requests to fast, then: