session_regenerate_id() vs session_id(randomString)

Question

What is the distinct difference between session_id($randomString) and session_regenerate_id()? Both seem to change session id:

Answer 1

The session_id function will just change the session id and update the session cookie on the client. The session_regenerate_id function will act like the session_id one with the additional session migration on the server. In fact as you can read from the docs of the session_id function, it needs to be called before the session_start function, otherwise it may be lay you to a session loss.

Example:

Conditions:

• You're using file based session (php default)

Description:

• You start a new session for the current user, the generated session id is '1234abc' and the session save handler saves the session information in /tmp/sess_1234abc.
• The user will now leave your app
• The user comes back to your app and the session save handler retrieves the session id '1234abc' from the session cookie; then the session save handler will load the session data file (/tmp/sess_SESSID in this case /tmp/sess_1234abc)
• Now you change the session id to 'myTestSession' using the session_id function
• At this point the user session cookie gets updated
• The user leaves your app
• The user comes back to your app but the session save handler couldn't retrieve the session data, in fact it will look for the /tmp/sess_MyTestSession file but the session has not been changed by the session_id function so is still /tmp/sess_1234abc!

So if you want to prevent session fixation the way to go is definitely session_regenerate_id