regenerating session id

前端未结

关注

 5  1135

野的像风 2020-12-31 14:44

I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request

if(!empty($_sessio


      
      
        
          5条回答        

        
                    
            
            
                         
                
              
              
                
                   醉话见心
                                             
                
                
                (楼主)
            
              
              
                2020-12-31 14:54
              

            
            
                        
I had problems indeed (on page refresh or inside ajax requests), using  session_regenerate_id(true); on each request.

But not with session_regenerate_id();

So, according to


  Renew the Session ID After Any Privilege Level Change
  https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
  
  Regenerate SID on each request
  http://en.wikipedia.org/wiki/Session_fixation#Regenerate_SID_on_each_request


i use 


session_regenerate_id(); on each request
session_regenerate_id(true); on login, logout etc (any privilege level change)

    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它5个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复