Regarding the need for session_regenerate_id()

Asked 2 years ago, Updated 2 years ago, 91 views

I'm a beginner in PHP

PHP Session Hijacking Prevention Listed

session_regenerate_id (TRUE);

Is it necessary that

Because I created a simple login system using my own session.
If you can enter the username and password from index.php and retrieve the username and password from DB, you can go to login.php.

Use the tool to view header information.
Use the PHPSESSID that flows in the header information when you log in. curl --cookie "PHPSESSID=Session ID" localhost/login.php
I put the session ID in the cookie information and typed curl, and the contents of the login screen were displayed
Hello ○○○. It's kind of like this

session_regenerate_id (TRUE);
As I was using , I thought they would issue a session ID every time I POST.
I was able to log in even if I mixed the same session ID with the header information, so this means that if the target is logged in, it's easy to hijack as long as you can steal the session ID in some way, right?

What does session_regenerate_id(TRUE); mean?
I realize that I don't understand the basics, but I'm not surprised.

Mr. okegem

Some code for index.php

if($row=$stmt->fetch(PDO::FETCH_ASSOC)){
    session_regenerate_id (TRUE);
    $_SESSION ['username'] = $row ['username'];
    header('Location: http://127.0.0.1/login.php');

If you can retrieve the record as shown in , declare session_regenerate_id(TRUE); and put the user name in the session variable and skip it to login.php. Is there a problem around here?

php security

2022-09-30 17:34

1 Answers

You probably understood it correctly, and I feel that the implementation is wrong.
When is session_regenerate_id (TRUE); running?
The correct timing is immediately after the ID and password verification and before writing the login state to the session variable.Is it like that?
If you don't mind, please attach the source code for the corresponding part so that I can check it in more detail.

I read your comment.There is no problem with the code.I think I received it a little wrong.

If the target is logged in, it will be easy to hijack as long as the session ID is stolen in some way, right?

If the session ID is stolen, it will be hijacked.Therefore, you must ensure that your session ID is not stolen.Making communication channels SSL, adding secure attributes to cookies, and taking cross-site scripting measures are measures to prevent session IDs from being stolen.
On the other hand, instead of stealing the session ID, there is an attack called "session fixed" in which the attacker sets the session ID in the victim's browser.If you log in with the attacker's session ID, the attacker knows the session ID, so the attacker knows the logged-in session ID.To prevent this, call session_regenerate_id(TRUE).

One thing I would like to ask is that if you want to issue a session when you log in, it doesn't matter if you have or don't have session_regenerate_id(TRUE).

I can't do this.Even if a session is first issued at login, PHP accepts the session cookie if there was a session cookie originally.In the context of a session persistent attack, the "original cookie" is the cookie known to the attacker, so you must run session_regenerate_id (TRUE); to switch to a session ID that the attacker does not know.
More importantly, the function session_start(); is

The behavior is shown in .You can't "issue a session (new) when you log in."


2022-09-30 17:34

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.