regenerating session id

sneakyimp

i'm working on my own session handler class. let me first say that it seems weird to create a class because i will probably never refer to the object after it gets created but many people seem to do it that way.

secondly, i googled around for some code other people have written and found this code for regenerating a session id that i have a question about.

    function regenerate_id()
    {

    // saves the old session's id
    $oldSessionID = session_id();

    // regenerates the id
    // this function will create a new session, with a new id and containing the data from the old session
    // but will not delete the old session
    session_regenerate_id();

    // because the session_regenerate_id() function does not delete the old session,
    // we have to delete it manually
    $this->destroy($oldSessionID);

}

QUESTION: Is it really necessary to destroy the old session information? I have read a great article about session fixation attacks that was linked from the php site here:
http://www.acros.si/papers/session_fixation.pdf

I plan to use session id regeneration frequently to help protect against this attack, but am wondering if destroying old sessions with each regen is strictly necessary for security reasons or whether it might cause performance issues because of the extra queries.

halojoy

whether it might cause performance issues because of the extra queries.

I find it hard to believe there will any noticable peformance effects
from destroying an old session.
To DESTROY something is often quick operation, compared to CREATE something.
Like will take you some time to build a castle in the sand
while destroying is easy and done in a moment.

What I think, is that other things in your php website script
will be main issue for performance.

Of course you should not make any over-complicated function for destroy.
How little/much time it will take depends of your choice of procedure.

🙂