|
|
|
|
Bookmark this on Delicious
Share on Facebook
 Slashdot It!
Digg  session_regenerate_id
Update the current session id with a newly generated one
(PHP 4 >= 4.3.2, PHP 5)
Example 2226. A session_regenerate_id() example<?phpCode Examples / Notes » session_regenerate_idbabel
To add to php at 5mm de's comments: If the session is held over https, it's even better to save the client's cert or ssl session id instead of the hostname or ip, as it's proxy-transparent and more secure. timo
This function is vital in preventing session fixation attacks, but is unfortunately missing in PHP versions prior to 4.3.2. This creates a serious security problem if you can't update your PHP version, like me. Therefore I attempted to port this function to PHP itself: <?php if (!function_exists('session_regenerate_id')) { function php_combined_lcg() { $tv = gettimeofday(); $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']); $lcg['s2'] = posix_getpid(); $q = (int) ($lcg['s1'] / 53668); $lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q); if ($lcg['s1'] < 0) $lcg['s1'] += 2147483563; $q = (int) ($lcg['s2'] / 52774); $lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q); if ($lcg['s2'] < 0) $lcg['s2'] += 2147483399; $z = (int) ($lcg['s1'] - $lcg['s2']); if ($z < 1) { $z += 2147483562; } return $z * 4.656613e-10; } function session_regenerate_id() { $tv = gettimeofday(); $buf = sprintf("%.15s%ld%ld%0.8f", $_SERVER['REMOTE_ADDR'], $tv['sec'], $tv['usec'], php_combined_lcg() * 10); session_id(md5($buf)); if (ini_get('session.use_cookies')) setcookie('PHPSESSID', session_id(), NULL, '/'); return TRUE; } } ?> To test this: <?php session_start(); $sid = session_id(); session_regenerate_id(); echo "Old session ID: ", $sid, "\nNew session ID: ", session_id(), "\n"; ?> - will output something similar to: Old session ID: 6e3521f44be4fc452b368e703f044ca1 New session ID: 1c6dac9a3e794f164d4115872b902471 php
This feature seems to create a new session ID without clearing the old session data. This is a very important feature for security validation: $usedns = TRUE; // for eliminating failture by proxys using IP chains, but slower $useragent = getenv("HTTP_USER_AGENT"); $host = getenv("REMOTE_ADDR"); $dns = $global['dns'] ? @gethostbyaddr($host):$host; session_start(); if(session_is_registered('securitycheck')) { if( (($_SESSION['session']['host'] != $this->host) && !$usedns) || ($_SESSION['session']['dns'] != $this->dns) || ($_SESSION['session']['useragent'] != $this->useragent) ) { session_regenerate_id(); session_unset(); } } else { $currentdata = array(); $currentdata['host'] = $this->host; $currentdata['dns'] = $this->dns; $currentdata['useragent'] = $this->useragent; session_register('securitycheck', $currentdata); } If sombody steals an active SID (e.g. by referrer or injection attack), he can´t be validated because of either the host / dns or useragent and will get a new (empty) SID, without interrupting the original session. Please mail me for any comments: php at 5mm de dyer85
There could be a potential problem with elger at NOSPAM dot yellowbee dot nl's a few posts below. In the code, was used the REQUEST_URI server variable, which, in some cases might already contain the query string. Therefore, always apending '?whatever=foo' would occasionally cause the script to malfunction. I suggest using PHP_SELF, which will not contain the query string after the file.
elger
Take good notice of the new cookie being sent on calling session_regenerate_id on cookie-enabled sessions. Make sure your page is reloaded otherwise you'll get an "session_destroy(): Session object destruction failed" error. So here are the examples: Wrong: <?php session_start(); session_regenerate_id(); session_destroy(); ?> Correct-like: <?php if (!$_GET['mode']){ session_start(); session_regenerate_id(); header('location: '.$_SERVER['REQUEST_URI'].'?mode=destroy'); } else { session_start(); session_destroy(); } ?> I noted this because googleing on the previous mentioned error leads to all kinds of bug reports, but not to the solution. (which is, of course, to read the manual) frank
session_regenerate_id(); not present and still want to change session id's - below a function which will do the same <?php function sessie_regenerate_id() { $randlen = 32; $randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; $random = ""; for ($i = 1; $i <= $randlen; $i++) { $random .= substr($randval, rand(0,(strlen($randval) - 1)), 1); } // use md5 value for id or remove capitals from string $randval // $random = md5($random); if (session_id($random)) { return true; } else { return false; } } if (!function_exists("session_regenerate_id")) { sessie_regenerate_id(); } else { session_regenerate_id(); } ?> nicolas dot chachereau
Session_destroy() does not only destroy the data associated with the current session_id (i.e. the file if you use the default session save handler), but also the session itself: if you call session_destroy() and then session_regenerate_id(), it will return false, and session_id() won't return anything. In order to manipulate a session after destroying it, you need to restart it. So in fact, the code mentionned by chris won't work. If you want to destroy the file associated with the old session_id, try the following: <?php session_start(); $old_sessid = session_id(); session_regenerate_id(); $new_sessid = session_id(); session_id($old_sessid); session_destroy(); //If you don't copy the $_SESSION array, you won't be able to use the data associated with the old session id. $old_session = $_SESSION; session_id($new_sessid); session_start(); $_SESSION = $old_session; //... ?> Note: this technique will send 3 Set-Cookie headers (one on each session_start() and one on session_regenerate_id()). I don't think this is a problem, but if it appears to be one, you could either leave it alone and wait for the garbage collector to catch the file associated with the old session, or try to delete the file with unlink(). chris
licp - no, session_regenerate_id() does not destroy any saved session data. elger, I prefer the following order [code] // populate $_SESSION with any previously saved session data for the current session_id session_start(); ... // delete any saved data associated with current session_id, $_SESSION is not changed session_destroy(); // change session_id, $_SESSION not altered session_regenerate_id(); ... // save any $_SESSION data under the current session_id session_close(); [/code] 18-jul-2005 04:39
It would be more reliable to use the following regular expression when checking session_ids, as HEX strings (MD5) are only of characters a-f and 0-9; preg_match('/[0-f]/i', $session_id); 27-apr-2007 10:47
In php help manual it mention like session_regerate_id() works for version (PHP 4 >= 4.3.2). But it is not working in 4.2.2 itself. So I did google search I found abou the user defined function session_regerate_id in this site. I used it. O.k it is working good. Thank you, ross
In a previous note, php at 5mm de describes how to prevent session hijacking by ensuring that the session id provided matches the HTTP_USER_AGENT and REMOTE_ADDR fields that were present when the session id was first issued. It should be noted that HTTP_USER_AGENT is supplied by the client, and so can be easily modified by a malicious user. Also, the client IP addresses can be spoofed, although that's a bit more difficult. Care should be taken when relying on the session for authentication. buraks78
If you are using cookies to store session ids and your php version is 4.3.2, session_regenerate_id() will not issue a cookie with the new id resulting in authentication failures. Here is my fix session_regenerate_id(); if(!version_compare(phpversion(),"4.3.3",">=")){ setcookie( session_name(), session_id(), ini_get("session.cookie_lifetime"), "/" ); } dbks
I wish to force.open.eyes=1 to all of you (like me 5 minutes ago) Didnt noticed the title, (i can see that some of you guys didnt too) session_regenerate_id(); ok read it again, session_regenerate_id (------); param (TRUE) / (FALSE {default}) ok, now you have a clue lol :p for all of you guys (fast readers) that are trying to set the old id to a variable and then regenerate, and then save the new id on a new var, and then set the actual session to the old id, Destroy it, and then set the session to the new id... blabla session_regenerate_id (TRUE); will do the job easier !! -param Bool for deleting old session- works perfect, enjoy lol madsen
I had problems with a proxy changing a visitors session_id-cookie, so he'd get a LOT of errors when visiting my site. I handled the bogus session-id's like this. (Note: It only works in versions > 4.3.2.) <?php // Start a session and suppress error-messages. @session_start(); // Catch bogus session-id's. if (!preg_match("/^[0-9a-z]*$/i", session_id())) { // Output a warning about the messed up session-id. $error->handleError("WARN", "Your session id is messed up, you might not be able to use some features on this site."); // Generate a fresh session-id. session_regenerate_id(); } // Site contents. ?> Hope someone can use it. gant
I am calling session_regenerate_id() from inside a method in an object. Since session fixation can occur at permission changes, I have my object call session fixation at these particular security changes. Unfortunately, it seems to fabricate some kind of temporary new session, and then the very next page that loads, it jumps back to the old session id. There seems to be no way to make the regeneration perminent. sopel
for php 5.1> user probably worth visiting is http://ilia.ws/archives/47-session_regenerate_id-Improvement.html
licp
By inspecting the source code, I am not sure that after session_regenerate_id() run, the original session data does not destroy (still keeps at the system) that sniffers still hijack by applying original session identifier. In addition, I find that if user-level session storage handler is used. session_regenerate_id() does not work. php
Also note that REMOTE_ADDR may change on every request if the user comes through a proxy farm. Most AOL-users do.
|
Change Language
session_cache_expire session_cache_limiter session_commit session_decode session_destroy session_encode session_get_cookie_params session_id session_is_registered session_module_name session_name session_regenerate_id session_register session_save_path session_set_cookie_params session_set_save_handler session_start session_unregister session_unset session_write_close |
