Last updated: Fri, 18 May 2012

session_regenerate_id

(PHP 4 >= 4.3.2, PHP 5)

session_regenerate_id — Ersetzt die aktuelle Session-ID durch eine neu erzeugte

Beschreibung

bool session_regenerate_id ([ bool $delete_old_session = false ] )

Die Funktion session_regenerate_id() ersetzt die aktuelle Session-ID durch eine neue und übernimmt die aktuellen Session-Informationen.

Parameter-Liste

delete_old_session: Legt fest, ob die zugehörige alte Sessiondatei gelöscht werden soll oder nicht.

Rückgabewerte

Gibt bei Erfolg TRUE zurück. Im Fehlerfall wird FALSE zurückgegeben.

Changelog

Version	Beschreibung
4.3.3	Falls Session-Cookies aktiviert sind, wird durch die Verwendung von session_regenerate_id() nun auch ein neues Session-Cookie mit der neuen Session-ID abgegeben.
5.1.0	Den Parameter `delete_old_session` hinzugefügt

Beispiele

Beispiel #1 Ein session_regenerate_id()-Beispiel


<?php
session_start();

$alte_sessionid = session_id();

session_regenerate_id();

$neue_sessionid = session_id();

echo "Alte Session: $alte_sessionid<br>";
echo "Neue Session: $neue_sessionid<br>";

print_r($_SESSION);
?>

Siehe auch

session_id() - Liefert und/oder setzt die aktuelle Session-ID
session_start() - Initialisiert eine Session
session_name() - Liefert und/oder setzt den Namen der aktuellen Session

add a note User Contributed Notes
session_regenerate_id

27-Apr-2007 11:47


In php help manual it mention like session_regerate_id() works for version (PHP 4 >= 4.3.2). But it is not working in 4.2.2 itself. So I did google search I found abou the user defined function session_regerate_id in this site. I used it. O.k it is working good. 



           Thank you,

buraks78 at gmail dot com
17-Aug-2006 08:00


If you are using cookies to store session ids and your php version 

is 4.3.2, session_regenerate_id() will not issue a cookie with the

new id resulting in authentication failures.



Here is my fix



session_regenerate_id();

if(!version_compare(phpversion(),"4.3.3",">=")){

   setcookie(

      session_name(),

      session_id(),

      ini_get("session.cookie_lifetime"),

      "/"

   );

}

Gant at BleachEatingFreaks dot com
24-Jan-2006 09:57


I am calling session_regenerate_id() from inside a method in an object.  Since session fixation can occur at permission changes, I have my object call session fixation at these particular security changes.



Unfortunately, it seems to fabricate some kind of temporary new session, and then the very next page that loads, it jumps back to the old session id.  There seems to be no way to make the regeneration perminent.

frank
08-Jan-2006 02:56


session_regenerate_id(); not present and still want to change

session id's - below a function which will do the same

<?php



function sessie_regenerate_id() {

    $randlen = 32;

    $randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

    $random = "";

    for ($i = 1; $i <= $randlen; $i++) {

        $random .= substr($randval, rand(0,(strlen($randval) - 1)), 1);

    }

    // use md5 value for id or remove capitals from string $randval

    // $random = md5($random);

    if (session_id($random)) {

        return true;

    } else {

        return false;

    }

}

if (!function_exists("session_regenerate_id")) { 

    sessie_regenerate_id();

} else { 

    session_regenerate_id(); 

}



?>

sopel
19-Sep-2005 02:32


for php 5.1> user probably worth visiting is http://ilia.ws/archives/47-session_regenerate_id-Improvement.html

dyer85 at gmail dot com
25-Aug-2005 07:59


There could be a potential problem with elger at NOSPAM dot yellowbee dot nl's a few posts below. In the code, was used the REQUEST_URI server variable, which, in some cases might already contain the query string. Therefore, always apending '?whatever=foo' would occasionally cause the script to malfunction. I suggest using PHP_SELF, which will not contain the query string after the file.

18-Jul-2005 05:39


It would be more reliable to use the following regular expression when checking session_ids, as HEX strings (MD5) are only of characters a-f and 0-9;



preg_match('/[0-f]/i', $session_id);

Nicolas dot Chachereau at Infomaniak dot ch
02-Jun-2005 08:40


Session_destroy() does not only destroy the data associated with the current session_id (i.e. the file if you use the default session save handler), but also the session itself: if you call session_destroy() and then session_regenerate_id(), it will return false, and session_id() won't return anything. In order to manipulate a session after destroying it, you need to restart it.



So in fact, the code mentionned by chris won't work. If you want to destroy the file associated with the old session_id, try the following:

<?php

session_start();

$old_sessid = session_id();

session_regenerate_id();

$new_sessid = session_id();

session_id($old_sessid);

session_destroy();



//If you don't copy the $_SESSION array, you won't be able to use the data associated with the old session id.

$old_session = $_SESSION;

session_id($new_sessid);

session_start();

$_SESSION = $old_session;

//...

?>



Note: this technique will send 3 Set-Cookie headers (one on each session_start() and one on session_regenerate_id()). I don't think this is a problem, but if it appears to be one, you could either leave it alone and wait for the garbage collector to catch the file associated with the old session, or try to delete the file with unlink().

chris at knowledge dot tee-vee
17-Jan-2005 02:51


licp - no, session_regenerate_id() does not destroy any saved session data.



elger, I prefer the following order



[code]

// populate $_SESSION with any previously saved session data for the current session_id

session_start();  

...

// delete any saved data associated with current session_id, $_SESSION is not changed

session_destroy(); 



// change session_id, $_SESSION not altered

session_regenerate_id(); 

...

// save any $_SESSION data under the current session_id

session_close(); 

[/code]

licp at hotmail dot com
07-Jan-2005 05:07


By inspecting the source code, I am not sure that after session_regenerate_id() run, the original session data does not destroy (still keeps at the system) that sniffers still hijack by applying original session identifier.



In addition, I find that if user-level session storage handler is used. session_regenerate_id() does not work.

php at cny dot de
20-Dec-2004 06:08


Also note that REMOTE_ADDR may change on every request if the user comes through a proxy farm. Most AOL-users do.

ross at kndr dot org
16-Nov-2004 12:41


In a previous note, php at 5mm de describes how to prevent session hijacking by

ensuring that the session id provided matches the HTTP_USER_AGENT and REMOTE_ADDR fields that were present when the session id was first issued.  It should be noted that HTTP_USER_AGENT is supplied by the client, and so can be easily modified by a malicious user.  Also, the client IP addresses can be spoofed, although that's a bit more difficult.  Care should be taken when relying on the session for authentication.

elger at NOSPAM dot yellowbee dot nl
28-Oct-2004 11:10


Take good notice of the new cookie being sent on calling session_regenerate_id on cookie-enabled sessions. 

Make sure your page is reloaded otherwise you'll get an "session_destroy(): Session object destruction failed" error. So here are the examples:



Wrong:

<?php

    session_start();

    session_regenerate_id();

    session_destroy();

?>



Correct-like:

<?php

if (!$_GET['mode']){

    session_start();

    session_regenerate_id();

    header('location: '.$_SERVER['REQUEST_URI'].'?mode=destroy');

} else {

    session_start();

    session_destroy();

}

?>



I noted this because googleing on the previous mentioned error leads to all kinds of bug reports, but not to the solution. (which is, of course, to read the manual)

timo at frenay dot net
26-Aug-2004 08:32


This function is vital in preventing session fixation attacks, but is unfortunately missing in PHP versions prior to 4.3.2. This creates a serious security problem if you can't update your PHP version, like me. Therefore I attempted to port this function to PHP itself:



<?php

    if (!function_exists('session_regenerate_id')) {

        function php_combined_lcg() {

            $tv = gettimeofday();

            $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']);

            $lcg['s2'] = posix_getpid();



            $q = (int) ($lcg['s1'] / 53668);

            $lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q);

            if ($lcg['s1'] < 0)

                $lcg['s1'] += 2147483563;



            $q = (int) ($lcg['s2'] / 52774);

            $lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q);

            if ($lcg['s2'] < 0)

                $lcg['s2'] += 2147483399;



            $z = (int) ($lcg['s1'] - $lcg['s2']);

            if ($z < 1) {

                $z += 2147483562;

            }



            return $z * 4.656613e-10;

        }



        function session_regenerate_id() {

            $tv = gettimeofday();

            $buf = sprintf("%.15s%ld%ld%0.8f", $_SERVER['REMOTE_ADDR'], $tv['sec'], $tv['usec'], php_combined_lcg() * 10);

            session_id(md5($buf));

            if (ini_get('session.use_cookies'))

                setcookie('PHPSESSID', session_id(), NULL, '/');

            return TRUE;

        }

    }

?>



To test this:

<?php

    session_start();

    $sid = session_id();

    session_regenerate_id();

    echo "Old session ID: ", $sid, "\nNew session ID: ", session_id(), "\n";

?>



- will output something similar to:

Old session ID: 6e3521f44be4fc452b368e703f044ca1

New session ID: 1c6dac9a3e794f164d4115872b902471

babel at nosqamplease sympatico ca
23-Feb-2004 05:48


To add to php at 5mm de's comments:



If the session is held over https, it's even better to save the client's cert or ssl session id instead of the hostname or ip, as it's proxy-transparent and more secure.

php at 5mm de
05-Sep-2003 03:01


This feature seems to create a new session ID without clearing the old session data. This is a very important feature for security validation:



$usedns = TRUE; // for eliminating failture by proxys using IP chains, but slower



$useragent = getenv("HTTP_USER_AGENT");

$host = getenv("REMOTE_ADDR");

$dns = $global['dns'] ? @gethostbyaddr($host):$host;



session_start();



if(session_is_registered('securitycheck')) {

    if(

            (($_SESSION['session']['host'] != $this->host) && !$usedns)

         || ($_SESSION['session']['dns'] != $this->dns)

         || ($_SESSION['session']['useragent'] != $this->useragent)

    ) {

        session_regenerate_id();

        session_unset();

    }

} else {

    $currentdata = array();

    $currentdata['host'] = $this->host;

    $currentdata['dns'] = $this->dns;

    $currentdata['useragent'] = $this->useragent;

    

    session_register('securitycheck', $currentdata);

}



If sombody steals an active SID (e.g. by referrer or injection attack), he can�t be validated because of either the host / dns or useragent and will get a new (empty) SID, without interrupting the original session.



Please mail me for any comments: php at 5mm de

madsen at sjovedyr.dk
28-Aug-2003 04:26


I had problems with a proxy changing a visitors session_id-cookie, so he'd get a LOT of errors when visiting my site.

I handled the bogus session-id's like this. (Note: It only works in versions > 4.3.2.)



<?php

// Start a session and suppress error-messages.

@session_start();



// Catch bogus session-id's.

if (!preg_match("/^[0-9a-z]*$/i", session_id())) {



    // Output a warning about the messed up session-id.

    $error->handleError("WARN", "Your session id is messed up, you might not be able to use some features on this site.");



    // Generate a fresh session-id.

    session_regenerate_id();

}



// Site contents.

?>



Hope someone can use it.

add a note

session_register_shutdown

session_name

Last updated: Fri, 18 May 2012