|
Posted by Gordon Burditt on 10/16/74 11:28
>With regards to session_regenerate_id(), as Gordon pointed out on a
>previous post, the parameter to delete the old session was not added
>until PHP 5.1.0. I am running the 4.3 series, and am trying to manually
>delete my old session as I am calling session_regenerate_id() on every
>user request.
>
>I do not want PHP's garbage collection script to run every time as that
>would obviously be a huge performance hit, and I checked in my session
>data folder and noticed that indeed the function does create a new
>session file for each request.
>
>However, every time I regenerate the ID, I am storing the session array
>in a temp var, then killing the old session and the associated cookie,
>and then reassigning the session array to the new session. As a result,
>all of the previous session files become empty (0 Kb) and only the
>newest session has the data.
>
>My question is even though there are technically many more valid
>sessions with this method, does it matter?
It depends on your code.
>I know an attacker could
>hijack one of these sessions, but as far as I understand it, wouldn't it
>be useless since there is no info in there?
If the user comes to your page with an existing but empty session,
do you assume he's logged in? If so, you're in big trouble. What
is that user allowed to do? If every page seeing such a session
redirects the user to the login page, you're probably OK.
>I have found conflicting
>reports online so I am not sure if I am overlooking any vulnerabilities
>with this model.
Gordon L. Burditt
[Back to original message]
|