I've been looking at using session_regenerate_id in a login class which I have been developing and from reading the PHP documentation and a few other sites it seems that it creates a new session with a newly generated ID carrying across the previous data since the function was added in PHP 4.3.2.
Since PHP 5.1 it has a delete_old_session parameter and if set to true it will also destroy the previous session but in previous versions it will not.
My question is if I was to use session_regenerate_id on a server running a PHP version below 5.1 what would be the best way to use session_regenerate_id and to destroy the previous session?
I don't think session_destroy() would work because if I used it before session_regenerate_id then it wouldn't be able to carry across the previous session data and if used after it would just destroy the new session.
This should solve your problem:
session_start();
// gets current (previous) session
$previousID = session_id();
session_regenerate_id();
// get the new session id
$newID = session_id();
// close session related files
session_write_close();
// set the old session id
session_id($previousID);
// start the old session
session_start();
// clear the old session
session_destroy();
// save the old session state (destroyed session)
session_write_close();
// set the regenerated session id
session_id($newID);
// start the new session
session_start();
Now your old session data is erased and transfered to a new session id.
Related
Doc says
session_create_id() is used to create new session id for the current session.
session_regenerate_id() Update the current session id with a newly generated one.
Is there any difference between these two functions ?
Yes there is a difference, session_create_id() will create a new sessionId discarding the current $_SESSION information, where as session_regenerate_id() doesn't destroys them, instead it just updates the sessionId
Referred from : http://php.net/manual/en/function.session-create-id.php & http://php.net/manual/en/function.session-regenerate-id.php
session_create_id
Create new session id
session_regenerate_id
Update the current session id with a newly generated one
Usage example from the manual:
$old_sessionid = session_id();
// Set destroyed timestamp
$_SESSION['destroyed'] = time(); // Since PHP 7.0.0 and up, session_regenerate_id() saves old session data
// Simply calling session_regenerate_id() may result in lost session, etc.
// See next example.
session_regenerate_id();
// New session does not need destroyed timestamp
unset($_SESSION['destroyed']);
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
Which leads us to the following question - why and when you should use it, there's a detailed answer in this link.
Trying to temporary store information in a multipage sign up. Because I don't want old sessions to mess with the new sign up data I'm trying to destroy the old session. The problem is the following.
Not working:
signup1.php
//Start new session
session_regenerate_id(TRUE);
session_destroy();
unset($_SESSION);
session_start();
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
signup2.php
<pre>
<?php
//Print $_SESSION (empty array)
print_r($_SESSION);
?>
Working (but returns old $_SESSION values + updated values):
//Start new session
session_regenerate_id(TRUE);
//Store values in session
$_SESSION['created'] = time();
//Redirect to second step
header('Location: '.$settings->siteurl.'signup2.php');
exit();
What could resolve the problem? First session_start(); is set in init.php but it doesn't matter if I place it above session_regenerate_id(TRUE), array stays empty.
You should use this first:
session_start(); // Starts a new or resumes an existing session
Then you may use:
session_regenerate_id(TRUE); // regenerates the active session id
The TRUE/delete_old_session parameter is used for:
Whether to delete the old associated session file or not.
The session_regenerate_id is useful to prevent session hijacking and it just regenerates a new id but keeps session data. This should be used when user's access level changes or using a time interval (i.e. after every 10 minutes) but before you regenerate another new session id you need to start the session first.
I am having problems with a custom start session.For security reasons I decide to look for a method that is safe when starting a session and I came across this tutorial and implemented the method related to start session.
The problem is that whenever I am initiating a new session variable and redirect to another page which is expecting the value from the initialized session, all my session variable that I initialed earlier on get destroyed forcing the user to logout.Below is my function I am using to start sessions:
function sec_session_start(){
$session_name = 'sec_session_id';//set a custom session Name
$secure = false;//true if are using https
$httponly = true; //this stops javascript from accessing session id
ini_set('session.use_only_cookies', 1);//FORCES session to only use cookies
$cookie_params = session_get_cookie_params();//Get current cookie params
session_set_cookie_params($cookie_params['lifetime'],$cookie_params['path'],$cookie_params['domain']
,$secure,$httponly);
session_name($session_name);//set the session name to the one set above
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
}
I have searched for an answer to my problem with no luck, Please help me on this.
N.B - when I use the default session_start
everything works perfect.
You should start session, not when $_SESSION is not set.
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
should be
session_start();//Start new or resume existing session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
Reference: session_regenerate_id
Try to put session_start() at top of your php code, as first instruction.
I started a session $_SESSION['ProdID'] = $ProdID; earlier in my code and I started another ProdID session in another page of my script.
I want to end the first one while this new one will be active without logging out.
Create a page with any name you want.
For example you create a page named as logout.php and paste this code in it.
<?php
session_start();
session_destroy();
header('location:login_page.php');
?>
if you want to destroy all sessions , it's better to use session_destroy()
if you want to destroy specific session , you can use unset($_SESSION['']);
First destroy the current session by regenerating a new session ID to create new cookies. You can then set your values in the new session, the old session is destroyed. Optionally delete all old session variables if you don't need them any longer:
/* generate new session id and delete old session in store */
session_regenerate_id(true);
/* optional: unset old session variables */
$_SESSION = array();
/* set new value(s) */
$_SESSION['name'] = 'value';
If you still want to keep the old session ("without logging out") you can remove the true parameter so the old session is kept in store:
/* generate new session id and keep old session in store */
session_regenerate_id();
The rest would remain the same.
Try using session_destroy(); to end your current session.
Use
unset($_SESSION["ProdID"]);
Only type unset session end of code,
Like this
unset($_SESSION['ProdID']);
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Close session and start a new one
I use wampserver2.1 php5.3.3, I found session_regenerate_id(true) not work in my script,document says when I set the parameter 'delete_old_sessions' true, there should be a new sid and all the session variables should be deleted, but the fact is after the function, $_session[abc] is still there. did I misunderstand the function,what is my problem?
I appreciate if anyone can help me,
<?php
session_start();
$_SESSION['abc']=12323;
session_regenerate_id(true);
echo $_SESSION['abc'];
?>
I thought it should display none, but it outputs:12323
session_regenerate_id() updates the current session id with a newly generated one. It does not change session variables.
echo session_id();
session_regenerate_id();
echo session_id();
You should unset session to do that:
unset($_SESSION); // or
$_SESSION = array();
How to start a new session:
session_start();
session_destroy();
session_regenerate_id();
unset($_SESSION);
session_start();
session_regenerate_id sends a new cookie but doesn't overwrite the value stored in $_COOKIE. After calling session_destroy, the open session ID is discarded, so simply restarting the session with session_start will re-open the original, though now empty, session for the current request (subsequent requests will use the new session ID). Instead of session_destroy+session_start, use the $delete_old_session parameter to session_regenerate_id to delete the previous session data.
<?php
session_start();
/* Create a new session, deleting the previous session data. */
session_regenerate_id(TRUE);
/* erase data carried over from previous session */
$_SESSION=array();
?>
To start a new session and leave the old untouched, simply leave out the argument to session_regenerate_id.
Source: http://de.php.net/manual/en/function.session-regenerate-id.php#107323
If you want to destroy the session-variables you can perform this: session_destroy();
and if you want to get new ID you can session_regenerate_id();