You need to ensure that a user's session identifier cannot be provided by a third party, such as an attacker who seeks to hijack the user's session.
Regenerate the session identifier with session_regenerate_id( ) whenever there is a change in the user's privilege, such as after a successful login:
<?php session_regenerate_id(); $_SESSION['logged_in'] = true; ?>
Sessions allow you to create variables that persist between requests. In order for sessions to work, each of the users' requests must include a session identifier that uniquely identifies a session.
By default, PHP accepts a session identifier sent in either a cookie or in the URL. An attacker can trick a victim into following a link to your application that includes an embedded session identifier:
<a href="http://example.org/login.php?PHPSESSID=1234">Click Here!</a>
A user who follows this link will resume the session identified as 1234. Therefore, the attacker now knows the user's session identifier and can attempt to hijack the user's session by presenting the same session identifier.
If the user never logs in or performs any action that differentiates the user from among the other users of your application, the attacker gains nothing by hijacking the session. Therefore, by ensuring that the session identifier is regenerated whenever there is a change in privilege level, you effectively eliminate session fixation attacks. PHP takes care of updating the session data store and propagating the new session identifier, so you must only call this one function as appropriate.
18.2.4. See Also
Recipes 11.2 for more information about session options that can help to prevent hijacking and fixation. Recipe 11.3 shows a time-based session ID regeneration scheme.