Doc says
session_create_id() is used to create new session id for the current session.
session_regenerate_id() Update the current session id with a newly generated one.
Is there any difference between these two functions ?
Yes there is a difference, session_create_id() will create a new sessionId discarding the current $_SESSION information, where as session_regenerate_id() doesn't destroys them, instead it just updates the sessionId
Referred from : http://php.net/manual/en/function.session-create-id.php & http://php.net/manual/en/function.session-regenerate-id.php
session_create_id
Create new session id
session_regenerate_id
Update the current session id with a newly generated one
Usage example from the manual:
$old_sessionid = session_id();
// Set destroyed timestamp
$_SESSION['destroyed'] = time(); // Since PHP 7.0.0 and up, session_regenerate_id() saves old session data
// Simply calling session_regenerate_id() may result in lost session, etc.
// See next example.
session_regenerate_id();
// New session does not need destroyed timestamp
unset($_SESSION['destroyed']);
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
Which leads us to the following question - why and when you should use it, there's a detailed answer in this link.
Related
Trying to temporary store information in a multipage sign up. Because I don't want old sessions to mess with the new sign up data I'm trying to destroy the old session. The problem is the following.
Not working:
signup1.php
//Start new session
session_regenerate_id(TRUE);
session_destroy();
unset($_SESSION);
session_start();
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
signup2.php
<pre>
<?php
//Print $_SESSION (empty array)
print_r($_SESSION);
?>
Working (but returns old $_SESSION values + updated values):
//Start new session
session_regenerate_id(TRUE);
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
What could resolve the problem? First session_start(); is set in init.php but it doesn't matter if I place it above session_regenerate_id(TRUE), array stays empty.
You should use this first:
session_start(); // Starts a new or resumes an existing session
Then you may use:
session_regenerate_id(TRUE); // regenerates the active session id
The TRUE/delete_old_session parameter is used for:
Whether to delete the old associated session file or not.
The session_regenerate_id is useful to prevent session hijacking and it just regenerates a new id but keeps session data. This should be used when user's access level changes or using a time interval (i.e. after every 10 minutes) but before you regenerate another new session id you need to start the session first.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Close session and start a new one
I use wampserver2.1 php5.3.3, I found session_regenerate_id(true) not work in my script,document says when I set the parameter 'delete_old_sessions' true, there should be a new sid and all the session variables should be deleted, but the fact is after the function, $_session[abc] is still there. did I misunderstand the function,what is my problem?
I appreciate if anyone can help me,
<?php
session_start();
$_SESSION['abc']=12323;
session_regenerate_id(true);
echo $_SESSION['abc'];
?>
I thought it should display none, but it outputs:12323
session_regenerate_id() updates the current session id with a newly generated one. It does not change session variables.
echo session_id();
session_regenerate_id();
echo session_id();
You should unset session to do that:
unset($_SESSION); // or
$_SESSION = array();
How to start a new session:
session_start();
session_destroy();
session_regenerate_id();
unset($_SESSION);
session_start();
session_regenerate_id sends a new cookie but doesn't overwrite the value stored in $_COOKIE. After calling session_destroy, the open session ID is discarded, so simply restarting the session with session_start will re-open the original, though now empty, session for the current request (subsequent requests will use the new session ID). Instead of session_destroy+session_start, use the $delete_old_session parameter to session_regenerate_id to delete the previous session data.
<?php
session_start();
/* Create a new session, deleting the previous session data. */
session_regenerate_id(TRUE);
/* erase data carried over from previous session */
$_SESSION=array();
?>
To start a new session and leave the old untouched, simply leave out the argument to session_regenerate_id.
Source: http://de.php.net/manual/en/function.session-regenerate-id.php#107323
If you want to destroy the session-variables you can perform this: session_destroy();
and if you want to get new ID you can session_regenerate_id();
I've been looking at using session_regenerate_id in a login class which I have been developing and from reading the PHP documentation and a few other sites it seems that it creates a new session with a newly generated ID carrying across the previous data since the function was added in PHP 4.3.2.
Since PHP 5.1 it has a delete_old_session parameter and if set to true it will also destroy the previous session but in previous versions it will not.
My question is if I was to use session_regenerate_id on a server running a PHP version below 5.1 what would be the best way to use session_regenerate_id and to destroy the previous session?
I don't think session_destroy() would work because if I used it before session_regenerate_id then it wouldn't be able to carry across the previous session data and if used after it would just destroy the new session.
This should solve your problem:
session_start();
// gets current (previous) session
$previousID = session_id();
session_regenerate_id();
// get the new session id
$newID = session_id();
// close session related files
session_write_close();
// set the old session id
session_id($previousID);
// start the old session
session_start();
// clear the old session
session_destroy();
// save the old session state (destroyed session)
session_write_close();
// set the regenerated session id
session_id($newID);
// start the new session
session_start();
Now your old session data is erased and transfered to a new session id.
I am the administrator of the site. I want unset a particular session, and I know its session id.
The users are just starting the session like this:
session_id("usernumber");
session_start();
Let’s say user A has usernumber "123".
I want to destroy all the values of the user A. User A will not regenerate the sessio_id() after setting that as session_id("123");.
How can I unset destroy only for user A?
Answer by Jack Luo on php.net
$session_id_to_destroy = 'nill2if998vhplq9f3pj08vjb1';
// 1. commit session if it's started.
if (session_id()) {
session_commit();
}
// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();
// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();
// 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();
Without reverse enginering the session handler....
<?php
session_id($_GET['killsid']);
session_start();
session_destroy() || die "failed to kill";
You could try to get session_save_path() (in this directory session files are stored).
When you are using default session names the filename looks like sess_jgimlf5edugvdtlaisumq0ham5 where jgimlf5edugvdtlaisumq0ham5 is user session id so you can just unlink this file unless you dont have permissions to edit those files.
As far as I know, the only supported way to do so with the default session handler is to impersonate the user with session_id("usernumber"); and then remove the values.
You could also store sessions in a database, which would make this all pretty straightforward, yet you need to write your own session handling code.
BTW, the session ID is supposed to be a long random string which you cannot guess. Using 123 means that any anonymous visitor can easily log in with any user credentials.
Im having problems with session variable after my database have changed the session variable, it doesnt update the new session variable when i press the back button but on database, it already updated but not on the webpage, i have to relogin to see the new variable.
and how do i use session_regenerate_id?
Copied from php.net:
<?php
session_start();
$old_sessionid = session_id();
session_regenerate_id();
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
?>
When a user presses the back button, their browser generally shows a cached page, rather than re-requesting the page, so that's most likely where your issue is coming from.
You use session_regenerate_id by calling it... and the user will be given a new session ID and their session will be transfered over to that ID, if you pass True as a parameter, the session will be cleared, too. It's generally used to prevent session fixation attacks
Make sure that you have put below statement on top of your script otherwise no sessions will be handled:
session_start();