Possible Duplicate:
PHP Session Fixation / Hijacking
I’ve been using $_SESSION superglobal a lot and heavily.
However the situation is like this:
Once the user is logged I want to keep track of his ID(MySQL table). I can easily
insert the id into $_SESSION['id'] = $user_id;
After all I can use that variable across the pages on my site. What’s on my mind is – user can trick the ID into another. If I would see that there’s a simple number then I can change it a bit and see what happens – I want to prevent this as it can cause a lot of problems as user ID would be used for adding, deleting, editing entries inside the database.
Is session_regenerate_id() just enough to keep my session safe from hijack ?
Conclusion:
Cookie only stores session identificator – all the values are on the server and never get passed to the client side.
Read about session fixation/hijacking on StackOverflow
The user has no acccess to
$_SESSION['id']. He can not modify a variable that’s kept on your server (seesessiondoc).session_regenerate_id()has a different purpose. It resets the cookie SID. That’s the handle that differentiates users and sessions. It only makes sense to use if you have a secondary identifier (IP or user agent string) to verify. It’s main purpose is preventing stale or intersecting sessions. Again, see the manual.