From PHP Session Management basics:
Proper use of
session.use_only_cookiesandsession_regenerate_id()can cause personal DoS with undeletable cookies set by attackers. In this case, developers may invite users to remove cookies and advise them they may be affected by a security issue. Attackers may set malicious cookies via a vulnerable web application, an exposed/vicious browser plugin, a physically compromised device, etc.
To put it in context:
In PHP, for security reasons, one usually set session.use_only_cookies to be true, which means the sessions are implemented via cookies, and use session_regenerate_id(), which means a new session ID is created every time a user authenticates to the website. session_regenerate_id() does not delete the old session ID/data.
I do not understand how a proper use of session.use_only_cookies and session_regenerate_id() can cause a "personal DoS". Could someone elaborate on this?
