StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POPHP session regeneration security
primarykey
Id
14329685
data
AcceptedAnswerId
14329752
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-01-15T01:18:06.613
FavoriteCount
1
LastActivityDate
2014-01-22T00:29:35.053
LastEditDate
2013-01-15T01:30:00.850
LastEditorUserId
922653
OwnerUserId
922653
ParentId
0
PostTypeId
1
Score
3
ViewCount
4733
LastEditorDisplayName
text
Body
I'm having a difficult time with PHP doing some very basic session security type of things: <ul> <li>A new session ID should be generated when switching from a non-authenticated context to an authenticated one</li> <li>A new session ID should be generated when switching from an authenticated context to a non-authenticated one</li> </ul> What I'd like to do is not only regenerate a session ID when switching contexts, but also immediately put something into the session (such as a FLASH) when switching those contexts. These three pages should hopefully clarify my expectations: <pre><code><?php /* page1.php */ session_start(); # Just putting something in the session which I expect to # not show up later $_SESSION['INFO1'] = 'INFO1'; ?> <html> <a href="page2.php">Page 2</a> <?php print_r($_SESSION) ?> </html> </code></pre> So when this page is displayed, I expect to see <code>INFO1</code> show up. I also expect when I come back here NOT to see <code>INFO2</code> show up. If I don't already have a session ID, I expect to get one (I do). <pre><code><?php # page2.php session_destroy(); session_regenerate_id(TRUE); $_SESSION['INFO2'] = 'From page 2'; session_write_close(); header('Location: page3.php'); exit; ?> </code></pre> This would be most akin to a logout function - we invalidate the existing session by passing <code>TRUE</code> to <code>session_regenerate_id</code>. Also, I put something in the (presumably) new session - which may be like a FLASH - say "You've been logged out successfully. <pre><code>#page3.php <html> <body> <?php session_start(); ?> <?php print_r($_SESSION); ?> </body> </html> </code></pre> On this page, I'd expect two things to happen: <ul> <li>The redirect from <code>page2.php</code> should have sent me a new session ID cookie (it did not)</li> <li>I'd expect for the <code>print_r</code> to print information from <code>INFO2</code>, and not from <code>INFO1</code>. It doesn't have information from <code>INFO1</code>, but does not include information from <code>INFO2</code>.</li> </ul> I've had very, very inconsistent results with <code>session_regenerate_id</code> and redirects. It seems like such a kludge to manually send that <code>Set-Cookie</code> header - but even if I didn't, <code>session_regenerate_id(TRUE)</code> should invalidate the old session ID anyhow - so even if the browser didn't for some reason get the new session ID, it wouldn't see any information in the session because the old session had been invalidated. Has anybody else had experience with these sorts of issues? Is there a good way to work around these issues?
Tags
<php><security><session>
Title
PHP session regeneration security
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USColselaw
UserOwnerUserId
1. USColselaw
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POPHP session regeneration security
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.