i have just learning session fixation attack from this atricle
http://shiflett.org/articles/session-fixation
but for defence of this attack i do not understand what is the usage of session_regenerate_id()?
when attacker include session id in url and say to server that i want use this session so all of the session variables related to this session is for him so why regenerating id is useful?
thanks
Throughout the lifetime of a website, there will be many 'sessions'. Each of these sessions is identified by an ID, and is how the web site knows who is who and is able to keep state between different requests.
A session fixation attack is really only possible if you can get ahold of the session id. Some sites allow sessions to persist between different actual browsing sessions (aka 'Remember Me' functionality), and are more vulnerable to this attack if the same session id is used.
If I get ahold of your session id then I can impersonate you only so long as that session id is valid. Using session_regenerate_id, the old ID becomes invalidated, making it useless to anyone who may have intercepted it. If you generate a new ID once a user successfully authenticates themselves, then any of the attempts at capturing a session identifier will no longer yield a valid identifier for an authenticated user (only the 'anonymous' session that the user had prior to authenticating themselves), meaning attackers can only 'impersonate' anonymous users.
Some more security conscious frameworks actually regenerate the session id within browsing sessions (using a timeout as low as 2-3 minutes) rather than just whenever a user logs in to help guard against people grabbing the session id via packet sniffing on the network. Session IDs can only be regenerated in response to a request.
The key point to have in mind is that in order to maintain session state, on every request the client reports its current session id to the server. The reporting mechanism itself (e.g. through a cookie or a URL parameter) is not important here.
From the viewpoint of the server, and excluding advanced precautions being taken¹, the session id reported by the client is authoritative: the server doesn't have a notion of a "correct" or "real" session id for any particular client. Clients are who they say they are.
Of course this raises the question: what is then preventing me from declaring that I am a site administrator with privileges to do anything on your application? Only the fact that I don't know the session id of the real administrator (assuming the real admin does have a session). If I did, I could impersonate the admin and do whatever they can do.
So now from the attacker's viewpoint: how can I learn the admin's session id? Tricking the admin into reporting to the server a specific session id of my own choosing would work! This is the essence of the session fixation attack.
There are several ways to prevent or mitigate the effects of this attack, and one of them is to make the server tell the client "I changed your session id; from now on, use this one". Of course the client is not forced to comply, but friendly clients will of course do so (and the server can refuse to recognize clients even if they were hostile). So even if the attacker manages to trick the admin into using a specific session id known to the attacker, the attack will work only as long as the server doesn't instruct the client to switch to a different session id.
And that's exactly what session_regenerate_id does.
¹ Advanced precautions: for example, the server might keep a track of the last IP address used by the client for each session id. If the server sees a request with a given session id coming from a different IP address then that could be considered suspicious. Of course this simplistic example cannot account for the sophistication of modern internet infrastructure, but the idea is clear. High-security services (e.g. Gmail) use sophisticated techniques of the same type to detect and prevent suspicious activity.
It the session ID is in the URL and the attacker somehow gets another user to visit this URL, the attacker will know the session ID.
e.g. suppose the attacker places this code snippet on their own website "evil.com" (session ID trimmed for brevity)
Login to site to continue
and then induces their victim to visit their site (e.g. sending them an email containing a link to "evil.com"). If the user visits the attackers website, and then follows the link to "example.com" and then logs in it may be possible for the attacker to follow the same link and hijack the now logged in session (as the IDs will match). e.g. the link could be to a funny video on Facebook but will contain the session ID in the URL rather than just a straight login page.
However, if however session_regenerate_id() is called as part of the login process (just after username & password are verified) the session ID will now be new and the attacker will have no way of hijacking the session using this method.
This is not a vulnerability restricted to session IDs in the URL. Say the rest of the website is HTTP and after login the session is moved to HTTPS then it is also wise to regenerate the Session ID because the existing Session ID could have been intercepted when the traffic was on HTTP.
Related
How do you prevent multiple clients from using the same session ID? I'm asking this because I want to add an extra layer of security to prevent session hijacking on my website. If a hacker somehow figures out another user's session ID and makes requests with that SID, how can I detect that there are different clients sharing a single SID on the server and then reject the hijack attempt?
EDIT
I have accepted Gumbo's answer after careful consideration because I've come to the realization that what I'm asking for is impossible due to the restrictions of a stateless HTTP protocol. I forgot about what is perhaps the most fundamental principle of HTTP, and now that I think about this question seems a bit trivial.
Let me elaborate what I mean:
After User A logs in on example.com, he is given some random session ID, for simplicity's sake, let it be 'abc123'. This session ID is stored as a cookie on the client side and is validated with a server-side session to ensure the user who logged in remains logged in as he moves from one webpage to another. This cookie of course would not need to exist if HTTP were not stateless. For that reason, if User B steals User A's SID, and creates a cookie on his computer with the value 'abc123', he would have successfully hijacked User A's session, but there is simply no way for the server to legitimately recognize that User B's request is any different from User A's requests, and therefore the server has no reason to reject any request. Even if we were to list the sessions that were already active on the server and try to see if someone is accessing a session that is already active, how can we determine that it is another user who is accessing the session illegitimately and not the same user who is already logged in with a session ID, but simply trying to make another request with it (ie navigate to a different webpage). We can't. Checking the user agent? Can be spoofed - but good as a Defense in Depth measure nevertheless. IP Address? Can change for legitimate reasons - but instead of not checking for the IP address at all, I suggest checking something like the first two octets of the IP, as even a user on a data plan network who constantly has a changing IP for perfectly legitimate reasons would only usually have the last two octets of their IP change.
In consclusion, it is the stateless HTTP that condemns us to never being able to fully protect our websites from session hijacking, but good practices (like the ones Gumbo has provided) will be good enough to prevent a good majority of session attacks. Trying to protect sessions from hijacking by denying multiple requests of the same SID is therefore simply ludicrous, and would defeat the whole purpose of sessions.
Unfortunately, there is no effective way to unmistakably identify a request that originates from an attacker in opposite to a genuine request. Because most properties that counter measures check like the IP address or user agent characteristics are either not reliable (IP address might change among multiple requests) or can be forged easily (e. g. User-Agent request header) and thus can yield unwanted false positives (i. e. genuine user switched IP address) or false negatives (i. e. attacker was able to successfully forge request with same User-Agent).
That’s why the best method to prevent session hijacking is to make sure an attacker cannot find out another user’s session ID. This means you should design your application and its session management that (1) an attacker cannot guess a valid session ID by using enough entropy, and (2) that there is no other way for an attacker to obtain a valid session ID by known attacks/vulerabilities like sniffing the network communication, Cross-Site Scripting, leakage through Referer, etc.
That said, you should:
use enough random input for generating the session ID (see session.entropy_file, session.entropy_length, and session.hash_function)
use HTTPS to protect the session ID during transmission
store the session ID in a cookie and not in the URL to avoid leakage though Referer (see session.use_only_cookies)
set the cookie with the HttpOnly and Secure attributes to forbid access via JavaScript (in case of XSS vulnerabilities) and to forbid transmission via insecure channel (see session.cookie_httponly and session.cookie_secure)
Besides that, you should also regenerate the session ID while invalidating the old one (see session_regenerate_id function) after certain session state changes (e. g. confirmation of authenticity after login or change of authorization/privileges) and you can additionally do this periodically to reduce the time span for a successful session hijacking attack.
Can we do something like this.
Store session id in database.
Also store the Ip address and the HTTP_USER_AGENT for that session id.
Now when a request comes to the server containing that matching session id, Check from which agent and ip it is coming from in your script.
Can make this funda work by make common function or class for session so that every request is verified before it is processed. It would hardly take some micro seconds. But, If many users are visiting your site and you have huge database of sessions, then this might be little performance issue. But, It would surely be very secure compared o other methods like
=> Using regenerating sessions.
In regenerating session ids, there is again little chance of session hijacking.
suppose, user's session id is copied and that user is not working or active for sometime and no request is made to server with old session id asking to regenerate new one. Then In case session id is hijacked, hacker will use that session id and make request to server with that id, then server will respond back with regenerated session id and so that hacker can go on using the services. Actual user will no longer be able to operate because he is unknown of what the regenerated id is and what request session id is to be passed in request. Completely Gone.
Please correct me if i m wrong somewhere.
There are lots of standard defenses against session hijacking. One of them is to match each session to a single IP address.
Other schemes may use an HMAC generated from:
the network address of the client's IP
the user-agent header sent by the client
the SID
a secret key stored on the server
The reason only the network address of the IP is used is in case the user is behind a public proxy, in which case their IP address can change with each request, but the network address remains the same.
Of course, to truly be secure, you really ought to force SSL for all requests so that the SID can't be intercepted by would-be attackers in the first place. But not all sites do this (::cough:: Stack Overflow ::cough::).
Session hijacking is a serious threat, it has to handle by using a secure socket layer for advanced application which involves transactions or by using simple techniques like using cookies, session timeouts and regenerates id etc as explained above.
When the internet was born, HTTP communications were designed to be stateless; that is, a connection between two entities exists only for the brief period of time required for a request to be sent to the server, and the resulting response passed back to the client.
Here are a few methods which hackers follow to hijack the session
Network Eavesdropping
Unwitting Exposure
Forwarding, Proxies, and Phishing
Reverse Proxies
Always recommend SSL Secure Sockets Layer
Use cookies also to following ini_set() directives at the start of your scripts, in order to override any global settings in php.ini:
ini_set( 'session.use_only_cookies', TRUE );
ini_set( 'session.use_trans_sid', FALSE );
Use Session Timeouts and Session Regenerate ID
<?php
// regenerate session on successful login
if ( !empty( $_POST['password'] ) && $_POST['password'] === $password )
{
// if authenticated, generate a new random session ID
session_regenerate_id();
// set session to authenticated
$_SESSION['auth'] = TRUE;
// redirect to make the new session ID live
header( 'Location: ' . $_SERVER['SCRIPT_NAME'] );
}
// take some action
?>
In my view you can store session id in database when users login and check everyone for the same before loggin in. delete the same session id which you have stored in database when users logout. You can easily findout session id of each and every user or else I can help you.
One of the easy implementations can be done by making a table in database , as logged users , then at login, update that table with user name and his SID , this will prevent other logins as same user , now at the time of log out , just run a simple query , which deletes the logged in data in database , this can also be used to trace logged in user on ur website at a time .
Obviously when you'll set session cookie in the browser, that cookie is sent in the request. Now when request comes, Server will check the session id in database and grant access. To prevent that only its important to store agent and ip so that before checking server makes sure that sessions access is granted to the unique client and not the unique session id which can be hijacked.
I don't know about the coding part well. So I can tell u an algorithm to do this. Setting stuffs like SSL, or setting the session cookie to secure and httpOnly wont work if a user sniffs the session id from a LAN network(Provided user and attacker are in the same LAN).
So what you can do is, once the user successfully logs into the application, set unique token to each and every pages of the web application and keep a track of this at the server side. So that if the valid user sends the request to access a particular page, the token of that page will also be sent to the server side. Since the tokens are unique for a user for a particular session, even if the attacker can get the session id, he cannot hijack the users session as he cannot provide the valid token to the server.
#Anandu M Das:
I believe what you may be referring to is the use of session tokens with each session ID. This site can explain the use of tokens with sessions:
https://blog.whitehatsec.com/tag/session-token/
Although session tokens are easily compromised by an XSS attack, this doesn't mean that they should never be used. I mean let's face it, if something was compromisable by a security vulnerability on the server, its not the fault of the method, its the fault of the programmer who introduced that vulnerability (to highlight points made by Hesson and Rook).
If you follow proper security conventions and practicies and secure your site from SQL injection, XSS, and require all sessions be managed over HTTPS, then you can easily manage the potential attack from CSRF by use of server-side tokens, stored within the session, and updated everytime the user would cause a manipulation to their session (like a $_POST being submitted). Also, NEVER store sessions or their contents in a url, no matter how well you think they are encoded.
When the security of your users is paramount (which it should be), the use of session tokens will allow better or more advanced functionality to be provided without compromising their session security.
I'm using session variable for login purpose. If login is successful $_SESSION['userName'] is set. In some pages there are codes like if(isset($_SESSION['userName'])) echo $_SESSION['userName];
I wonder if $_SESSION['userName'] is already set by other website in someone's browser it will lead to a huge problem. How may I overcome this problem, please suggest.
The session value is communicated between a browser and a server by HTTP cookie.
The HTTP cookie is only shared on the same host name like (*.stackoverflow.com)
So, I think another website cannot be get a session value of others.
So this is how a PHP session works.
PHP generates a session id for a specific user. It then hashes that ID and passes the hash to the user as a cookie.
On each subsequent request the user send that cookie back, PHP and looks up the session data for that session hash. It is then able to start the session associated with that user. In that sense no other user is able to access the first user's session without knowing the session hash.
However the end user is vulnerable to session hijacking in case someone else steals their cookies and there's a number of ways this can happen.
Session fixation which someone tricks a user of your site to use a session ID that someone has provided them (there's not much you can do about this).
Man in the middle attacks where someone is between the user and your website and intercepts all data that get passed along. This usually can be protected against by serving the page under HTTPS (not always but it's a lot harder for someone to steal data that comes over HTTPS).
Cross-site scripting (XSS), when someone uses client-side code (which can access cookies) to impersonate that user. You can protect against this by implementing CORS restrictions and sending a "nonce" with each response which you expect the user to return when they send the next request.
Taking advantage of browser exploits that expose the user's cookies to another website. It's normally a requirement to browser manufacturers to prevent websites from accessing cookies they did not set, but sometimes bugs can be present that prevent this. This is usually taken care of if the user keeps their browser up to date (not because exploits are not there but because most people haven't found them yet).
Someone breaks into a user's house and uses the user's browser (can't do anything about this one either).
There's probably more ways
How do you prevent multiple clients from using the same session ID? I'm asking this because I want to add an extra layer of security to prevent session hijacking on my website. If a hacker somehow figures out another user's session ID and makes requests with that SID, how can I detect that there are different clients sharing a single SID on the server and then reject the hijack attempt?
EDIT
I have accepted Gumbo's answer after careful consideration because I've come to the realization that what I'm asking for is impossible due to the restrictions of a stateless HTTP protocol. I forgot about what is perhaps the most fundamental principle of HTTP, and now that I think about this question seems a bit trivial.
Let me elaborate what I mean:
After User A logs in on example.com, he is given some random session ID, for simplicity's sake, let it be 'abc123'. This session ID is stored as a cookie on the client side and is validated with a server-side session to ensure the user who logged in remains logged in as he moves from one webpage to another. This cookie of course would not need to exist if HTTP were not stateless. For that reason, if User B steals User A's SID, and creates a cookie on his computer with the value 'abc123', he would have successfully hijacked User A's session, but there is simply no way for the server to legitimately recognize that User B's request is any different from User A's requests, and therefore the server has no reason to reject any request. Even if we were to list the sessions that were already active on the server and try to see if someone is accessing a session that is already active, how can we determine that it is another user who is accessing the session illegitimately and not the same user who is already logged in with a session ID, but simply trying to make another request with it (ie navigate to a different webpage). We can't. Checking the user agent? Can be spoofed - but good as a Defense in Depth measure nevertheless. IP Address? Can change for legitimate reasons - but instead of not checking for the IP address at all, I suggest checking something like the first two octets of the IP, as even a user on a data plan network who constantly has a changing IP for perfectly legitimate reasons would only usually have the last two octets of their IP change.
In consclusion, it is the stateless HTTP that condemns us to never being able to fully protect our websites from session hijacking, but good practices (like the ones Gumbo has provided) will be good enough to prevent a good majority of session attacks. Trying to protect sessions from hijacking by denying multiple requests of the same SID is therefore simply ludicrous, and would defeat the whole purpose of sessions.
Unfortunately, there is no effective way to unmistakably identify a request that originates from an attacker in opposite to a genuine request. Because most properties that counter measures check like the IP address or user agent characteristics are either not reliable (IP address might change among multiple requests) or can be forged easily (e. g. User-Agent request header) and thus can yield unwanted false positives (i. e. genuine user switched IP address) or false negatives (i. e. attacker was able to successfully forge request with same User-Agent).
That’s why the best method to prevent session hijacking is to make sure an attacker cannot find out another user’s session ID. This means you should design your application and its session management that (1) an attacker cannot guess a valid session ID by using enough entropy, and (2) that there is no other way for an attacker to obtain a valid session ID by known attacks/vulerabilities like sniffing the network communication, Cross-Site Scripting, leakage through Referer, etc.
That said, you should:
use enough random input for generating the session ID (see session.entropy_file, session.entropy_length, and session.hash_function)
use HTTPS to protect the session ID during transmission
store the session ID in a cookie and not in the URL to avoid leakage though Referer (see session.use_only_cookies)
set the cookie with the HttpOnly and Secure attributes to forbid access via JavaScript (in case of XSS vulnerabilities) and to forbid transmission via insecure channel (see session.cookie_httponly and session.cookie_secure)
Besides that, you should also regenerate the session ID while invalidating the old one (see session_regenerate_id function) after certain session state changes (e. g. confirmation of authenticity after login or change of authorization/privileges) and you can additionally do this periodically to reduce the time span for a successful session hijacking attack.
Can we do something like this.
Store session id in database.
Also store the Ip address and the HTTP_USER_AGENT for that session id.
Now when a request comes to the server containing that matching session id, Check from which agent and ip it is coming from in your script.
Can make this funda work by make common function or class for session so that every request is verified before it is processed. It would hardly take some micro seconds. But, If many users are visiting your site and you have huge database of sessions, then this might be little performance issue. But, It would surely be very secure compared o other methods like
=> Using regenerating sessions.
In regenerating session ids, there is again little chance of session hijacking.
suppose, user's session id is copied and that user is not working or active for sometime and no request is made to server with old session id asking to regenerate new one. Then In case session id is hijacked, hacker will use that session id and make request to server with that id, then server will respond back with regenerated session id and so that hacker can go on using the services. Actual user will no longer be able to operate because he is unknown of what the regenerated id is and what request session id is to be passed in request. Completely Gone.
Please correct me if i m wrong somewhere.
There are lots of standard defenses against session hijacking. One of them is to match each session to a single IP address.
Other schemes may use an HMAC generated from:
the network address of the client's IP
the user-agent header sent by the client
the SID
a secret key stored on the server
The reason only the network address of the IP is used is in case the user is behind a public proxy, in which case their IP address can change with each request, but the network address remains the same.
Of course, to truly be secure, you really ought to force SSL for all requests so that the SID can't be intercepted by would-be attackers in the first place. But not all sites do this (::cough:: Stack Overflow ::cough::).
Session hijacking is a serious threat, it has to handle by using a secure socket layer for advanced application which involves transactions or by using simple techniques like using cookies, session timeouts and regenerates id etc as explained above.
When the internet was born, HTTP communications were designed to be stateless; that is, a connection between two entities exists only for the brief period of time required for a request to be sent to the server, and the resulting response passed back to the client.
Here are a few methods which hackers follow to hijack the session
Network Eavesdropping
Unwitting Exposure
Forwarding, Proxies, and Phishing
Reverse Proxies
Always recommend SSL Secure Sockets Layer
Use cookies also to following ini_set() directives at the start of your scripts, in order to override any global settings in php.ini:
ini_set( 'session.use_only_cookies', TRUE );
ini_set( 'session.use_trans_sid', FALSE );
Use Session Timeouts and Session Regenerate ID
<?php
// regenerate session on successful login
if ( !empty( $_POST['password'] ) && $_POST['password'] === $password )
{
// if authenticated, generate a new random session ID
session_regenerate_id();
// set session to authenticated
$_SESSION['auth'] = TRUE;
// redirect to make the new session ID live
header( 'Location: ' . $_SERVER['SCRIPT_NAME'] );
}
// take some action
?>
In my view you can store session id in database when users login and check everyone for the same before loggin in. delete the same session id which you have stored in database when users logout. You can easily findout session id of each and every user or else I can help you.
One of the easy implementations can be done by making a table in database , as logged users , then at login, update that table with user name and his SID , this will prevent other logins as same user , now at the time of log out , just run a simple query , which deletes the logged in data in database , this can also be used to trace logged in user on ur website at a time .
Obviously when you'll set session cookie in the browser, that cookie is sent in the request. Now when request comes, Server will check the session id in database and grant access. To prevent that only its important to store agent and ip so that before checking server makes sure that sessions access is granted to the unique client and not the unique session id which can be hijacked.
I don't know about the coding part well. So I can tell u an algorithm to do this. Setting stuffs like SSL, or setting the session cookie to secure and httpOnly wont work if a user sniffs the session id from a LAN network(Provided user and attacker are in the same LAN).
So what you can do is, once the user successfully logs into the application, set unique token to each and every pages of the web application and keep a track of this at the server side. So that if the valid user sends the request to access a particular page, the token of that page will also be sent to the server side. Since the tokens are unique for a user for a particular session, even if the attacker can get the session id, he cannot hijack the users session as he cannot provide the valid token to the server.
#Anandu M Das:
I believe what you may be referring to is the use of session tokens with each session ID. This site can explain the use of tokens with sessions:
https://blog.whitehatsec.com/tag/session-token/
Although session tokens are easily compromised by an XSS attack, this doesn't mean that they should never be used. I mean let's face it, if something was compromisable by a security vulnerability on the server, its not the fault of the method, its the fault of the programmer who introduced that vulnerability (to highlight points made by Hesson and Rook).
If you follow proper security conventions and practicies and secure your site from SQL injection, XSS, and require all sessions be managed over HTTPS, then you can easily manage the potential attack from CSRF by use of server-side tokens, stored within the session, and updated everytime the user would cause a manipulation to their session (like a $_POST being submitted). Also, NEVER store sessions or their contents in a url, no matter how well you think they are encoded.
When the security of your users is paramount (which it should be), the use of session tokens will allow better or more advanced functionality to be provided without compromising their session security.
I am currently using sessions to handle users data, for example:
Username
Password
Name
Permission
The thing I am wondering about is, if the data is encrypted before sent to session, would regenerate be pointless? I currently have it setup to delete old session from TMP and create a new one.
Could someone explain how it may benefit me I find with documentation they like to make features seem so important, much help appreciated! :)
session_regenerate_id() does not actually prevent session fixation. However, it should be called, at the very least, when a user logs in to prevent the "generic" session fixation attack (1, 2) from working.
The attacker includes a PHPSESSID= parameter in a URL he sends to the user, setting ("fixating") the browser's session ID to a known value. Or he could set a session cookie from one of your other subdomains (possible by uploading an HTML file with embedded JavaScript, for example).
He waits until the user logs in under that session.
He uses the known session ID to hijack the user's account.
Calling session_regenerate_id() prevents step 3 from succeeding, because the attacker would no longer know the session ID at that point.
Also, because subdomains can set cookies for parent domains (which are sent to other subdomains as well), it is recommended that you host any untrusted content on an entirely separate domain name in a well-known TLD such as .com, .net, or .org. Browsers contain blacklists (such as the Public Suffix List) that prevent setting cookies for these TLDs.
For example, content at exampleusercontent.com cannot set a cookie that would be sent to example.com.
After reading a great post on PHP session security .I have two questions from the discussion.
1)$_SERVER['HTTP_USER_AGENT'] -This gets the information about the user's browser and other details and since a person can access their account from a different computer then how is it useful?
2)session_regenerate_id - This regenerates a session id , How should I use it ? Is the session_id deleted after a session has timeout or closed?
Thanks for all your help.I appreciate each view and response.
$_SERVER['HTTP_USER_AGENT'] , you can use this information for when you are using special features that may not work for everyone, or if they want to get an idea of their target audience. This also is important when using the get_browser() function for finding out more information about the browser's capabilities. By having this information the user can be directed to a version of your site best suited to their browser.
session_regenerate_id, When it renames the session id it does not remove the old session, leaving it active and potentially usable by a would be hacker. This does not pose a problem if the function is only used during new session create as the means of preventing session fixation, which is the intended use btw. However, it makes it completely useless if used on each session based request to prevent session leakage via HTTP_REFERER and similar, since the previous session id is still usable. It also means that changing the id on “actions” as some scripts to do prevent session theft also is pointless; in fact it doubles the amount of session ids for the same user making it only simpler to assume their identity. Furthermore it means that on every call to the function there is duplication in the number of sessions entries that will hang around until they are considered expired and removed by the garbage collection process.
The User-Agent is useful for determining the browser being used, which may lead to guessing some of its capabilities. For example, most mobile devices can be accurately identified by their browser's user agent (see WURFL), thus allowing a site's developer to direct mobile devices to the site's mobile version.
However, it can be modified by the user, so its value should be taken with a grain of salt as is the case with any user input.
session_regenerate_id() doesn't delete the session. It merely changes its id to a newly created one. To avoid having its old session file hang around until auto deletion by the system, you can delete it yourself by setting the optional function parameter to true. Its use is to avoid session fixation attacks where an attacker can gain access to an existing session's data by knowing and presenting its id to the server.
1) Sessions aren't bound to accounts, they're bound to browser sessions. You can use the user agent information to see if that someone other user agent is trying to hijack the session. However it's not fail-proof. You can also use things like the user's IP address (or a given range of it) to catch hijack attempts.
2) By calling session_regenerate_id from time to time, you reduce the chance of someone hijacking the session. This is especially true if the session ID is passed in the URL. For example let's say someone accidentally pasted a link to a chat with the SID in the URL. If you regenerate the session ID periodically, the users who saw that link can't hijack the session with it, as the ID would've changed already.
I'll try to answer your questions from the bottom up: session_regenerate_id() is useful in preventing session fixation attacks, where a malicious user who has obtained your session ID hijacks your session and can then act as you. When you regenerate the session, you can track the latest session ID in a database or something similar, and only allow access with the most current session ID (incidentally, if you regenerate sessid frequently enough, this will prevent users from browsing your site with multiple browsers/windows), otherwise old sessions will be available by default (unless you pass a boolean true parameter to the session_regenerate_id function call).
Some security-crazy people will suggest regenerating the session ID after every request, but you can also track a session variable that increments per request, and just regenerate every X number of requests (5 or 10 or whatever you determine is a sufficient amount for your security level). The other option is to regenerate the session ID during a privileges escalation, such as logging in.
As for HTTP_USER_AGENT, it is mostly useful in implementing browser/client-specific functionality (for example, displaying a "Get Chrome!" link when users visit your site using Firefox or IE).