What are session_id, session_regenerate_id and session_name used for?

Question

ok im a newbie on sessions lets imagine that we have a little login site,

heres a logic

1. login
2. if password right = use $_SESSION[isaloginuser] = 1
3. check session to see menus with if $_SESSION[isaloginuser] = 1
4. show the menus
5. the user want to logoff
6. unset session
7. destroy session system

what it use

session_register
session_destroy
session_unset
session_start

where does the session_id & the session_regenerate or session_name goes in ? at php site it says

session_id() is used to get or set the session id for the current session.

i still just dont get it, why do we need them anyway ? in real environment what does it do ?

Answer 1

No, you don’t need to use them. In general all you need is

• session_start to start the session handling, and
• session_destroy to destroy the stored session data (this does not modify $_SESSION), and
• session_unset to reset the $_SESSION variable (but you can also do $_SESSION = array()).

session_id and session_name are to get and set the current session ID and session ID name (default is PHPSESSID). session_regenerate_id can be used to regenerate/change the session ID of the current session. This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.

Answer 2

Session IDs are the identifier for the session. The way a server stores data about a client is in a cookie. This cookie is sent with each HTTP request to the server by that client. PHP sets a cookie to be a random string token. This token identifies the client and relates it to a set of key-value pairs. The idea of a session variable is that cookies can be easily tampered with. Session IDs, however, being random strings, are hard to duplicate and thus add security.

Answer 3

session_register() is depreciated in 5.3, I would suggest against using. Instead just use $_SESSION['varname'] = "value";

session_id it just used if you want to get the session id for storing in a database, this is not "necessary" for use. session_name, just sets a name, this is not necessary. The regenerate is if you want to do a new id, this is also not necessary unless your application needs it, for a login session, I highly doubt you will use it.

The others, I hope you understand what they do (ie the unset / destroy). But hope that gives some insight.

Answer 4

I usually use session_id() when creating shopping baskets so I can track what that user has added then once I have got a response back from the payment gateway that the payment was successful, I then session_regenerate() so that when they are back on to my website their previous baskets are not visible and to me its like a new user has "entered" the shop.

Answer 5

session_regenerate_id() is used in order to prevent session fixation.

Session fixation means the following: You visit a website and examine your session ID. Then you manipulate another user into visiting the site using your session ID, and signing in. Now you're signed in as that user and have his privileges, because you're both using the same session.

To prevent this, give the user a new session ID using session_regenerate_id() when he successfully signs in. Now only he has the session ID, and your old session ID is no longer valid.