session fixation protection

alikim

Hi,

Tell me please if it's enough to use just

session_start();
session_regenerate_id();

at the top of all php scripts to prevent session fixation?

I know it's recommended to regenerate only after login but if i use it always it will still work, right?
I need simple solution so I don't need to search through the whole code looking for login snippets.

Thank you,

laserlight

Yes, I believe that should prevent session fixation since any attacker provided session id would be expire as soon as the user loaded the page with it.

NogDog

It's probably overkill in terms of regenerating the session id (and therefore creating a new session file) on every page request. While not claiming this to be the be-all and end-all solution, you might consider this function:

function startSession()
{
   ini_set('session.use_only_cookies', 1);
   if(isset($_GET['PHPSESSID']))
   {
      die("Possible session fixation attack");
   }
   session_start();
   if(empty($_SESSION['initiated']))
   {
      session_regenerate_id();
      $_SESSION['initiated'] = 1;
   }
}

alikim

thanks a lot!