regenerating session id
I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request
if(!empty($_sessio
-
However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.
Well, I guess you have to try it out to confirm that, but I don't think you'll ever experience that problem.
Anyway, regenerating the session for every pageload doesn't secure you completely from session hijacking and uses resources that are better spent somewhere else. A better place to start would be looking at SSL. Encrypting the data between the client and the webserver is more secure.
I personally only regenerate a session id when a user logs in AND when a user logs out of my applications.
加载中...
- 热议问题