Will session_regenerate_id() without true parameter improves security? Should I use it right before login?

Question

I want to decrease session fixation attack vulnerability, hence I used session_regenerate_id() before login. Somehow I'm in dark now and not sure the right answer for questions below:

• When we don't set the function parameter to TRUE then old files won't be deleted. Is this at all secure when we have access to old sessions? Does attacker can use old sessions to fixate sessions?

• Should I use the function before login?

• Should I set the parameter to true?

Answer 1

The solution to avoid the session fixation is simple changing session ID.

bool session_regenerate_id([bool $delOldSession = false]) will replace the current session id with a new one, and keep the current session information. Adding parameter true: session_regenerate_id(true) deletes old esssion. If you don't delete old sessions, then your web-application is vulnerable to session hijacking. You leave old, but still valid sessions inside the /tmp directory. This means:

• on the shared web-hosting servers some people could still have access to them
• you give more chance to guess any of your valid session ID

You should always destroy old sessions with session_regenerate_id(true) or session_destroy().

However, you should be aware of session_regenerate_id(true) performance. The bare minimum is to use it, when you change user's priviledges (like login, logout). When you use it too often, you will notice "strange" things with your sessions. PHP has restriction in access to the session for only one running task. Multiple requests get into queue. If you send requests to fast, then:

• The first request changes session ID and deletes the old session.

• The second request (still) has the old session ID and it tries to do some operations on it.

• As this old session ID doesn't exist, the new session is being created - which leads to user logout.