There is another potential security downfall to sessions called session fixation that every developer should be consciously aware of. This is the process by which I send you a link, such as:

You click the link and login to your account. Now, if the session ID is not changed when the user logs in using session_regenerate_id then there's no need for me to guess your session ID. I already know it because I supplied it to you. PHP creates the session ID on-the-fly if it does not exist so the session ID I sent you in the link becomes your session ID. I can then go and click on the link myself and have almost limitless access to your account.

For this reason, the session's ID should be regenerated, and if practicable, the session ID within the GET should be disabled.

Please see the attached document I have outlining session fixation. It's an interesting read.

Attached Files

session_fixation.pdf (404.6 KB, 715 views)

__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.