问题
Why is it always recommended that session_regenerate_id() should be used before the user's session is created. As per my perception, session_regenerate_id() should be used once the user session id is created, and we need to re-generate it so as to mitigate the session fixation attack by the hacker.
Please suggest!!
回答1:
I'm not sure where you've gotten recommendation from, but the session_regenerate_id manual shows it being used after session_start, so your assumptions would be correct.
回答2:
From everything I have read the session_start() has to be called before anything else. The main idea is to create a new id each time so that if a hacker is on the same network, they will not have a static id to use to gain entry to your site. A good explanation of how this is done.
https://youtu.be/8dMsHmlxY0s
and here is an excellent answer that goes into more detail than the video:
https://stackoverflow.com/a/37492488/2654453
来源:https://stackoverflow.com/questions/12427156/using-session-regenerate-id