If you are using cookies to store session ids and your php version
is 4.3.2, session_regenerate_id() will not issue a cookie with the
new id resulting in authentication failures.
Here is my fix
session_regenerate_id();
if(!version_compare(phpversion(),"4.3.3",">=")){
setcookie(
session_name(),
session_id(),
ini_get("session.cookie_lifetime"),
"/"
);
}
session_regenerate_id
(PHP 4 >= 4.3.2, PHP 5)
session_regenerate_id -- Update the current session id with a newly generated one说明
bool session_regenerate_id ( [bool delete_old_session] )session_regenerate_id() will replace the current session id with a new one, and keep the current session information.
add a note
User Contributed Notes
buraks78 at gmail dot com
18-Aug-2006 02:00
18-Aug-2006 02:00
Gant at BleachEatingFreaks dot com
25-Jan-2006 04:57
25-Jan-2006 04:57
I am calling session_regenerate_id() from inside a method in an object. Since session fixation can occur at permission changes, I have my object call session fixation at these particular security changes.
Unfortunately, it seems to fabricate some kind of temporary new session, and then the very next page that loads, it jumps back to the old session id. There seems to be no way to make the regeneration perminent.
frank
08-Jan-2006 09:56
08-Jan-2006 09:56
session_regenerate_id(); not present and still want to change
session id's - below a function which will do the same
<?php
function sessie_regenerate_id() {
$randlen = 32;
$randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$random = "";
for ($i = 1; $i <= $randlen; $i++) {
$random .= substr($randval, rand(0,(strlen($randval) - 1)), 1);
}
// use md5 value for id or remove capitals from string $randval
// $random = md5($random);
if (session_id($random)) {
return true;
} else {
return false;
}
}
if (!function_exists("session_regenerate_id")) {
sessie_regenerate_id();
} else {
session_regenerate_id();
}
?>
sopel
19-Sep-2005 08:32
19-Sep-2005 08:32
for php 5.1> user probably worth visiting is http://ilia.ws/archives/47-session_regenerate_id-Improvement.html
dyer85 at gmail dot com
25-Aug-2005 01:59
25-Aug-2005 01:59
There could be a potential problem with elger at NOSPAM dot yellowbee dot nl's a few posts below. In the code, was used the REQUEST_URI server variable, which, in some cases might already contain the query string. Therefore, always apending '?whatever=foo' would occasionally cause the script to malfunction. I suggest using PHP_SELF, which will not contain the query string after the file.
18-Jul-2005 11:39
It would be more reliable to use the following regular expression when checking session_ids, as HEX strings (MD5) are only of characters a-f and 0-9;
preg_match('/[0-f]/i', $session_id);
Nicolas dot Chachereau at Infomaniak dot ch
03-Jun-2005 02:40
03-Jun-2005 02:40
Session_destroy() does not only destroy the data associated with the current session_id (i.e. the file if you use the default session save handler), but also the session itself: if you call session_destroy() and then session_regenerate_id(), it will return false, and session_id() won't return anything. In order to manipulate a session after destroying it, you need to restart it.
So in fact, the code mentionned by chris won't work. If you want to destroy the file associated with the old session_id, try the following:
<?php
session_start();
$old_sessid = session_id();
session_regenerate_id();
$new_sessid = session_id();
session_id($old_sessid);
session_destroy();
//If you don't copy the $_SESSION array, you won't be able to use the data associated with the old session id.
$old_session = $_SESSION;
session_id($new_sessid);
session_start();
$_SESSION = $old_session;
//...
?>
Note: this technique will send 3 Set-Cookie headers (one on each session_start() and one on session_regenerate_id()). I don't think this is a problem, but if it appears to be one, you could either leave it alone and wait for the garbage collector to catch the file associated with the old session, or try to delete the file with unlink().
chris at knowledge dot tee-vee
17-Jan-2005 09:51
17-Jan-2005 09:51
licp - no, session_regenerate_id() does not destroy any saved session data.
elger, I prefer the following order
[code]
// populate $_SESSION with any previously saved session data for the current session_id
session_start();
...
// delete any saved data associated with current session_id, $_SESSION is not changed
session_destroy();
// change session_id, $_SESSION not altered
session_regenerate_id();
...
// save any $_SESSION data under the current session_id
session_close();
[/code]
licp at hotmail dot com
07-Jan-2005 12:07
07-Jan-2005 12:07
By inspecting the source code, I am not sure that after session_regenerate_id() run, the original session data does not destroy (still keeps at the system) that sniffers still hijack by applying original session identifier.
In addition, I find that if user-level session storage handler is used. session_regenerate_id() does not work.
php at cny dot de
21-Dec-2004 01:08
21-Dec-2004 01:08
Also note that REMOTE_ADDR may change on every request if the user comes through a proxy farm. Most AOL-users do.
ross at kndr dot org
16-Nov-2004 07:41
16-Nov-2004 07:41
In a previous note, php at 5mm de describes how to prevent session hijacking by
ensuring that the session id provided matches the HTTP_USER_AGENT and REMOTE_ADDR fields that were present when the session id was first issued. It should be noted that HTTP_USER_AGENT is supplied by the client, and so can be easily modified by a malicious user. Also, the client IP addresses can be spoofed, although that's a bit more difficult. Care should be taken when relying on the session for authentication.
elger at NOSPAM dot yellowbee dot nl
28-Oct-2004 05:10
28-Oct-2004 05:10
Take good notice of the new cookie being sent on calling session_regenerate_id on cookie-enabled sessions.
Make sure your page is reloaded otherwise you'll get an "session_destroy(): Session object destruction failed" error. So here are the examples:
Wrong:
<?php
session_start();
session_regenerate_id();
session_destroy();
?>
Correct-like:
<?php
if (!$_GET['mode']){
session_start();
session_regenerate_id();
header('location: '.$_SERVER['REQUEST_URI'].'?mode=destroy');
} else {
session_start();
session_destroy();
}
?>
I noted this because googleing on the previous mentioned error leads to all kinds of bug reports, but not to the solution. (which is, of course, to read the manual)
timo at frenay dot net
27-Aug-2004 02:32
27-Aug-2004 02:32
This function is vital in preventing session fixation attacks, but is unfortunately missing in PHP versions prior to 4.3.2. This creates a serious security problem if you can't update your PHP version, like me. Therefore I attempted to port this function to PHP itself:
<?php
if (!function_exists('session_regenerate_id')) {
function php_combined_lcg() {
$tv = gettimeofday();
$lcg['s1'] = $tv['sec'] ^ (~$tv['usec']);
$lcg['s2'] = posix_getpid();
$q = (int) ($lcg['s1'] / 53668);
$lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q);
if ($lcg['s1'] < 0)
$lcg['s1'] += 2147483563;
$q = (int) ($lcg['s2'] / 52774);
$lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q);
if ($lcg['s2'] < 0)
$lcg['s2'] += 2147483399;
$z = (int) ($lcg['s1'] - $lcg['s2']);
if ($z < 1) {
$z += 2147483562;
}
return $z * 4.656613e-10;
}
function session_regenerate_id() {
$tv = gettimeofday();
$buf = sprintf("%.15s%ld%ld%0.8f", $_SERVER['REMOTE_ADDR'], $tv['sec'], $tv['usec'], php_combined_lcg() * 10);
session_id(md5($buf));
if (ini_get('session.use_cookies'))
setcookie('PHPSESSID', session_id(), NULL, '/');
return TRUE;
}
}
?>
To test this:
<?php
session_start();
$sid = session_id();
session_regenerate_id();
echo "Old session ID: ", $sid, "\nNew session ID: ", session_id(), "\n";
?>
- will output something similar to:
Old session ID: 6e3521f44be4fc452b368e703f044ca1
New session ID: 1c6dac9a3e794f164d4115872b902471
babel at nosqamplease sympatico ca
23-Feb-2004 12:48
23-Feb-2004 12:48
To add to php at 5mm de's comments:
If the session is held over https, it's even better to save the client's cert or ssl session id instead of the hostname or ip, as it's proxy-transparent and more secure.
php at 5mm de
05-Sep-2003 09:01
05-Sep-2003 09:01
This feature seems to create a new session ID without clearing the old session data. This is a very important feature for security validation:
$usedns = TRUE; // for eliminating failture by proxys using IP chains, but slower
$useragent = getenv("HTTP_USER_AGENT");
$host = getenv("REMOTE_ADDR");
$dns = $global['dns'] ? @gethostbyaddr($host):$host;
session_start();
if(session_is_registered('securitycheck')) {
if(
(($_SESSION['session']['host'] != $this->host) && !$usedns)
|| ($_SESSION['session']['dns'] != $this->dns)
|| ($_SESSION['session']['useragent'] != $this->useragent)
) {
session_regenerate_id();
session_unset();
}
} else {
$currentdata = array();
$currentdata['host'] = $this->host;
$currentdata['dns'] = $this->dns;
$currentdata['useragent'] = $this->useragent;
session_register('securitycheck', $currentdata);
}
If sombody steals an active SID (e.g. by referrer or injection attack), he cant be validated because of either the host / dns or useragent and will get a new (empty) SID, without interrupting the original session.
Please mail me for any comments: php at 5mm de
madsen at sjovedyr.dk
28-Aug-2003 10:26
28-Aug-2003 10:26
I had problems with a proxy changing a visitors session_id-cookie, so he'd get a LOT of errors when visiting my site.
I handled the bogus session-id's like this. (Note: It only works in versions > 4.3.2.)
<?php
// Start a session and suppress error-messages.
@session_start();
// Catch bogus session-id's.
if (!preg_match("/^[0-9a-z]*$/i", session_id())) {
// Output a warning about the messed up session-id.
$error->handleError("WARN", "Your session id is messed up, you might not be able to use some features on this site.");
// Generate a fresh session-id.
session_regenerate_id();
}
// Site contents.
?>
Hope someone can use it.