|
Posted by Marcus on 09/25/94 11:28
Hello,
With regards to session_regenerate_id(), as Gordon pointed out on a
previous post, the parameter to delete the old session was not added
until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
delete my old session as I am calling session_regenerate_id() on every
user request.
I do not want PHP's garbage collection script to run every time as that
would obviously be a huge performance hit, and I checked in my session
data folder and noticed that indeed the function does create a new
session file for each request.
However, every time I regenerate the ID, I am storing the session array
in a temp var, then killing the old session and the associated cookie,
and then reassigning the session array to the new session. As a result,
all of the previous session files become empty (0 Kb) and only the
newest session has the data.
My question is even though there are technically many more valid
sessions with this method, does it matter? I know an attacker could
hijack one of these sessions, but as far as I understand it, wouldn't it
be useless since there is no info in there? I have found conflicting
reports online so I am not sure if I am overlooking any vulnerabilities
with this model.
Thanks in advance!
[Back to original message]
|