From: Ben Stones on
Hi,

I'm just wondering whether there are any apparent security concerns I should
be aware of when using sessions in my PHP scripts. I understand that
sessions are tracked with an individual user via a session ID which is
stored in a temporary location on the server, as well as a PHPSESSID cookie
assigned to the end user's client, but the server my website is hosted on
(and which I'll be developing my PHP script on) doesn't allow you to create
a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only
the server can generate a session ID for the end user when I call the
session_start function? So do I still need to call session_regenerate_id for
security purposes when an end user has entered the correct login credentials
- would this be necessary since you cant set a session ID via the URL?

Thanks,
Ben.
From: Ashley Sheridan on
On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote:

> Hi,
>
> I'm just wondering whether there are any apparent security concerns I should
> be aware of when using sessions in my PHP scripts. I understand that
> sessions are tracked with an individual user via a session ID which is
> stored in a temporary location on the server, as well as a PHPSESSID cookie
> assigned to the end user's client, but the server my website is hosted on
> (and which I'll be developing my PHP script on) doesn't allow you to create
> a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only
> the server can generate a session ID for the end user when I call the
> session_start function? So do I still need to call session_regenerate_id for
> security purposes when an end user has entered the correct login credentials
> - would this be necessary since you cant set a session ID via the URL?
>
> Thanks,
> Ben.


Just setting a URL variable won't actually create a session, you have to
use the PHP session functions to create one.

Using session_regenerate_id() won't do that much for security. If you
are really worried, then consider a security certificate. Even a
self-issued one is better than nothing, and you can generate these for
free.

Thanks,
Ash
http://www.ashleysheridan.co.uk