I have a situation where my system detects if cookie has been hijacked. If I clone the cookie between two different browsers, then my system can kill the session cookie on a browser that is the clone and thus protect the original session.

But I have a problem. How can I regenerate a new session ID value for the cloned browser in the same session? I would essentially give clone a new session ID that is clean of the original session ID data, without affecting the original session ID data.

This is what currently happens on my clone:

• System detects that this session was started with a different fingerprint, thus it is a clone or hijacked cookie
• Session data is made inaccessible, previous session data is written to disk with session_write_close() and after that the $_SESSION variable is cleared entirely.
• User agent (browser) is notified to remove that cloned session cookie

What I want to happen though is that the cookie would not be deleted, but assigned with a new – different – session ID, so that instead of deleting the current session, a new one would be made that is empty.

I cannot use session_regenerate_id(), because that wants sessions to be started and it would start the previous session rather than a new one and my previous original session data would be lost and not accessible from the previous one. I can assign a new session ID with a session_id() function and then use that, but how can I generate the session ID value that is as secure as the one that PHP itself generates?

Basically all I want to do is that if I detect a cloned session, then I still want to start sessions, but I want to replace the session ID of the cloned session while keeping the original session still alive.