Session_regenerate_id

I spent a bit of time tracking down a session-related error that was occurring after upgrading PHP from version 5 to version 7:

  1. Session_regenerate_id In Codeigniter
  2. Php Session_regenerate_id
  3. Session Regenerate Id
  4. Cannot Regenerate Session Id
  5. Session_regenerate_id Example

Sessionregenerateid 関数のコールを行ってしまえば,後はどうしようと安全なのです.お好みで選択されても構わないし,万全を期して全部行っておいても問題ないです.個人的には, A, B は両方行い, C は行わなくてもよいという意見です..

Session_regenerate_id
  1. Description: - sessionstart creates and locks session file, but sessionregenerateid doesn't do it. After sessionregenerateid session is started with new ID, but the file is not created immediately (is created when session is closed) and therefore is not locked. I think this causes bugs like #49462.
  2. Sessionregenerateid: Cannot regenerate session id - headers already sent in Hot Network Questions I reset my laptop and now Steam games are all missing.
  3. Sessioncreateid (string $prefix = '): string false sessioncreateid is used to create new session id for the current session. It returns collision free session.

PHP Catchable fatal error: session_regenerate_id(): Failed to create(read) session ID: user (path: /var/lib/php/session) in /vagrant/library/Zend/Session.php on line 322

Although this particular error was coming from Zend Framework, there’s a more general solution that is framework-agnostic:

If you are setting a custom session handler, make sure the read callback returns a string. Returning null or false will cause the above error.

Reference: http://php.net/manual/en/function.session-set-save-handler.php

Session_regenerate_idSession_regenerate_idPhp session_regenerate_idPhp session id

This RFC is renamed. Refer to the latest

Keeping HTTP session as secure as possible is what the session manager's task. Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications. Please note that this RFC is for session manager behavior.

session_regenerate_id() is used to generate new session ID. It's better to delete old session data to reduce risk of session hijack. However, session_regenerate_id() leave old session data by default currently. (i.e. session_regenerate_id(FALSE) is the default) Old session data is active and usable until GC.

Old session is left active for reliable session ID regeneration. There are many reasons why old session is left. Examples are:

  • Browsers connect to web server with multiple connections.
  • Mobile network may loose radio, may have hand over, etc.
  • Large network providers have multiple gateways for off loading traffic and packets may arrive out of order.

Session_regenerate_id In Codeigniter

For reliable session ID regeneration, only short periods (few seconds for wired connections, few minutes for mobile connection) is enough.

Leaving old session opens window to attacker widely:

Php Session_regenerate_id

  1. Old session lives long term and never expires if there is access to it. i.e. Attacker may abuse stolen session forever.
  2. There is no mechanism to detect possibles attack even if session manager may detect attacks.

Counter measure for session hijack: Requirement - Session ID regeneration must be reliable.

Session Regenerate Id

  1. Make sure old session is deactivated/deleted after certain period.
  2. Raise error/exception for invalid access. (Raise error for should be deleted session access)

Problem of immediate old session deletion:

  1. Make session ID regeneration unreliable. (Unacceptable)
  2. Remove alarm for possible attacks. (No detection = Insecure)

Cannot Regenerate Session Id

“Make sure old session is deleted certain period” and “Raise error/exception for invalid access” provides much better security than current way or immediate deletion.

Session_regenerate_id Example

Errors may be raised for either legitimate user or attacker. If error is raised for legitimate user, legitimate user could know they are under attack. (Possibly network is dangerous or app has vulnerability) If error is raised for attacker, attacker could know they might be caught by illegal access.