开发者

Is starting session_start this way more secure?

A friend of mine starts his Session this way.

<?php
session_start();
session_regenerate_id();
session_destroy();
unset($_SESSION);
session_start();
?>

Are there any security adva开发者_StackOverflow社区ntages, against Session hijacking etc.

Just wondering why as against the usual session_start();


All you'd need is

session_start()
session_regenerate_id()

That'll start the session and change its ID on each request. However, this will not prevent session hijacking. If the attacker can get the user's session cookie and sent a request back to the server BEFORE the user can, then the attacker gets a brand new session ID, and the user is left with an invalid session token and is effectively logged out.


If this code is found at the top of every page on a given site, there will be no session that is maintained between post backs and different pages. If you want to use SESSION as server-side storage for data that you're not going to use across post backs or multiple pages then I suppose it may be viable, but that would make for a very odd and most likely poorly developed application.

What it looks like your friend may have been trying to do is wipe out any previous SESSION information and then start a new one. Perhaps he is checking against some quantifier and if it evaluates properly then including this in a PHP page? In any case calling Rocket's functions work better.


This code deletes the session then makes a new empty one each time it's ran.

session_destroy();
unset($_SESSION);

This will remove all data in your session, then session_start will make you a brand new one.

You can run this the 1st time to make a new session, but if you want to have the data in the session on other page loads, you just need session_start.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜