NYCPHP Meetup

[Chris Snyder]

jon baer wrote:

>session.reissue();
>session.reissue(int); // tell it when to reissue after x transactions
>(default 1)
>
>it was mainly a security idea to prevent hijacking over time.
>
>does session_regenerate_id() perform these same type of functions w/ a
>transaction count?  and is there anything new in php5 pertaining to this?
>  
>
This is why I still roll my own sessions -- I was under the impression 
that the session cookie/url remains the same for an entire session, 
which may be days. That makes it a little too easy to hijack a session 
-- either maliciously by intercepting traffic enroute or catching it in 
a referer, or inadvertantly by sending someone a URL that contains the 
sessionid.

This appears to be the problem that session_regenerate_id() is meant to 
solve. You could implement your own transaction count, or just update on 
every request.