What is session_regenerate_id()?

什么是session_regenerate_id()？

As the function name says, it is a function that will replace the current session ID with a new one, and keep the current session information.

正如函数名所说，它是一个将当前会话 ID 替换为新 ID 并保留当前会话信息的函数。

What does it do?

它有什么作用？

It mainly helps prevent session fixation attacks. Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID (SID) of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

它主要有助于防止会话固定攻击。会话固定攻击是恶意用户试图利用系统中的漏洞来固定（设置）另一个用户的会话 ID (SID)。通过这样做，他们将获得原始用户的完全访问权限，并能够执行原本需要身份验证的任务。

To prevent such attacks, assign the user a new session ID using session_regenerate_id()when he successfully signs in (or for every X requests). Now only he has the session ID, and your old (fixated) session ID is no longer valid.

为防止此类攻击，请在用户session_regenerate_id()成功登录时（或为每个 X 请求）分配一个新的会话 ID 。现在只有他拥有会话 ID，而您旧的（固定的）会话 ID 不再有效。

When should I use session_regenerate_id()?

我应该什么时候使用session_regenerate_id()？

As symbecean points out in the comments below, the session id must be changed at any transition in authentication state and onlyat authentication transitions.

正如 symbecean 在下面的评论中指出的那样，会话 ID 必须在任何身份验证状态转换时更改，并且只能在身份验证转换时更改。

Further reading:

进一步阅读：

• http://php.net/session_regenerate_id
• https://www.owasp.org/index.php/Session_fixation
• http://en.wikipedia.org/wiki/Session_fixation
• https://wiki.php.net/rfc/precise_session_management

• http://php.net/session_regenerate_id
• https://www.owasp.org/index.php/Session_fixation
• http://en.wikipedia.org/wiki/Session_fixation
• https://wiki.php.net/rfc/precise_session_management

You should use session_regenerate_id()in order to stop session hiHymaningand session fixation.

您应该使用session_regenerate_id()以停止会话劫持和会话固定。

From this Security.SE answer:

从这个 Security.SE 回答：

Session hiHymaning refers to stealing the session cookie. This can be most easily accomplished when sharing a local network with other computers. E.g. at Starbucks. Example... a user with session Y is browsing James's website at Starbucks. I am listening in on their network traffic, sipping my latte. I take user with session Y's cookies for James's website and set my browser to use them. Now when I access James's site, James's site.

会话劫持是指窃取会话cookie。与其他计算机共享本地网络时，最容易实现这一点。例如在星巴克。示例...会话 Y 的用户正在星巴克浏览 James 的网站。我正在监听他们的网络流量，喝着我的拿铁咖啡。我使用会话 Y 的 cookie 获取 James 网站的用户，并将我的浏览器设置为使用它们。现在，当我访问 James 的网站时，James 的网站。

From this webpage:

从这个网页：

Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker will wait for that user to login. Once the user does so, the attacker uses the predefined session ID value to assume the same online identity.

会话固定是一种攻击技术，它强制用户的会话 ID 为显式值。根据目标网站的功能，可以使用多种技术来“修复”会话 ID 值。这些技术的范围从跨站点脚本攻击到使用先前发出的 HTTP 请求对网站进行攻击。修复用户的会话 ID 后，攻击者将等待该用户登录。一旦用户这样做，攻击者就会使用预定义的会话 ID 值来假设相同的在线身份。

When To Use

何时使用

When user is editing / updating some important inputs (changing passwords, credentials, forgot passwords etc.) which may compromise site security or privacy policy.

当用户编辑/更新一些可能危及网站安全或隐私政策的重要输入（更改密码、凭据、忘记密码等）时。

See also:

也可以看看：

PHP Security Guide: Sessions

PHP 安全指南：会话

Session Fixation(Nice read)

会话固定（好读）

I think the issue of session poisoning has been covered pretty well.

我认为会话中毒的问题已经很好地涵盖了。

To answer the "When should I use this?" portion, it's important to step back and consider what your application is doing with the session. Or, to put it another way, this is the key security question you need to answer

回答“我什么时候应该使用它？” 部分，退后一步考虑您的应用程序在会话中执行的操作很重要。或者，换句话说，这是您需要回答的关键安全问题

If someone got a hold of this session what would they gain?

如果有人掌握了这次会议，他们将获得什么？

If all you do is track otherwise anonymous data (user comes to site and you use it to track their visits) then there's little reason to regenerate a session. A hiHymaner wouldn't gain anything of value by grabbing that session.

如果您所做的只是跟踪匿名数据（用户访问站点并使用它来跟踪他们的访问），那么几乎没有理由重新生成会话。劫持者不会通过获取该会话而获得任何有价值的东西。

Lots of sites offer logins, however. A login changes lots of things. I can access my profile. I can change settings. So a hiHymaner might want my account access, especially if normal and admin users all use sessions to manage the login. So when people come to my site and log in I regenerate the session. It adds an extra layer of security that my newly logged in user is less likely to get hiHymaned.

然而，许多网站都提供登录。登录会改变很多事情。我可以访问我的个人资料。我可以更改设置。所以劫机者可能想要我的帐户访问权限，特别是如果普通用户和管理员用户都使用会话来管理登录。因此，当人们来到我的网站并登录时，我会重新生成会话。它增加了一个额外的安全层，我新登录的用户不太可能被劫持。

Any time we add critical data to a session you should consider regenerating the session ID. If you need to harden your application against fixation then a random regeneration can be useful but I would NEVER regenerate on every request. By default PHP stores sessions in files on the local disk. You're adding a lot of disk I/O to mitigate what is a relatively small attack vector. If you really need more security I would advocate going full HTTPS over regenerating on a regular basis (HTTPS makes fixation very hard to pull off).

每当我们向会话添加关键数据时，您都应该考虑重新生成会话 ID。如果您需要针对固定强化您的应用程序，那么随机重新生成可能很有用，但我永远不会在每个请求上重新生成。默认情况下，PHP 将会话存储在本地磁盘上的文件中。您正在添加大量磁盘 I/O 以减轻相对较小的攻击向量。如果你真的需要更多的安全性，我会提倡使用完整的 HTTPS，而不是定期重新生成（HTTPS 使固定很难实现）。

Why should I use session_regenerate_id?

我为什么要使用session_regenerate_id？

You should use it to prevent session fixation.

您应该使用它来防止会话固定。

When should I use session_regenerate_id?

我应该什么时候使用session_regenerate_id？

Whenever the authentication state changes, that's mainly on login and logout.

每当身份验证状态发生变化时，主要是登录和注销。

Example

例子

Bob sits at a public computer and by browsing stackoverflow.com he opens a new session there. The session ID is saved in a cookie (with httpOnlyflag to prevent access through javascript). Let's imagine Stack Overflow had HTTPS always enabled and also the secureflag set for the cookie.

Bob 坐在一台公共计算机前，通过浏览 stackoverflow.com，他在那里打开了一个新会话。会话 ID 保存在 cookie 中（带有httpOnly防止通过 javascript 访问的标志）。让我们想象一下 Stack Overflow 总是启用 HTTPS 并且还secure为 cookie 设置了标志。

How can we steal the session now?

我们现在如何窃取会话？

Bob writes down the session ID. He leaves the computer without closing the browser. Now Alice comes to this computer and sees Stack Overflow is already loaded. She logs in now.

Bob 记下会话 ID。他没有关闭浏览器就离开了电脑。现在 Alice 来到这台计算机，看到 Stack Overflow 已经加载。她现在登录。

Now we're at the stage where you should use session_regenerate_id. If you don't create a new session ID here during login, Bob could use the previous session he had written down to access Alice' session and would be logged in as Alice now.

现在我们处于您应该使用session_regenerate_id. 如果您在登录时没有在此处创建新的会话 ID，Bob 可以使用他写下的前一个会话访问 Alice 的会话，并且现在将以 Alice 的身份登录。

You can use it for better security.

您可以使用它来提高安全性。

With this way you are creating session id's for one time use.

通过这种方式，您可以创建一次性使用的会话 ID。

Lets say your user session id is = 3

假设您的用户会话 ID = 3

Some hacker hacked you client and get their session_id. So hacker can use that cookie to use their session.

一些黑客入侵了您的客户端并获取了他们的 session_id。因此黑客可以使用该 cookie 来使用他们的会话。

If you have code like

如果你有类似的代码

session_start();
session_regenerate_id();

you are able to change their session each time they using your website.

每次他们使用您的网站时，您都可以更改他们的会话。

Now hacker gets sessionid = 3

现在黑客得到 sessionid = 3

but you have changed session after he use that so your

但是在他使用之后你改变了会话，所以你的

user have sessionid=4 // auth

用户有 sessionid=4 // 身份验证

hacker have session=3 // null

黑客有 session=3 // null

But there is a little point lets say you are using regenerate method and your client just login to website and close browser or inactive. Your client have sessionid=4 and if hacker gets cookies at that part they will have same sessionid.

但是有一点可以说您正在使用重新生成方法，而您的客户端只需登录网站并关闭浏览器或处于非活动状态。您的客户端具有 sessionid=4，如果黑客在该部分获取 cookie，他们将具有相同的 sessionid。

As explained above this way you can protect your client from data sniffing on one way, but still its not will fix this issue for good.

如上所述，您可以通过一种方式保护您的客户端免受数据嗅探，但它仍然不能很好地解决此问题。

But its will be way much secure if you use SSL enc.

但是如果您使用 SSL enc，它将非常安全。

Sorry for bad english.

抱歉英语不好。

A simple use case:

一个简单的用例：

// User visits a webshop
$shopcart = new Cart();

A session is started and an entry is made in the database. The user's shopcart is identified by his session id.

启动会话并在数据库中创建一个条目。用户的购物车由他的会话 ID 标识。

// User orders items
$shopcart->add('123', 20);
$shopcart->add('124', 18);
$shopcart->add('127', 5);

For each product added, a record is made in my shopcart table. Also identified by the session id.

对于添加的每个产品，我的购物车表中都会进行记录。也由会话 ID 标识。

// User saves cart in order to use it later
$shopcart->save();

The user decided to save his cart. It is now being attached to his user id.

用户决定保存他的购物车。它现在被附加到他的用户 ID。

// Regenerate session id for user to be able to make a new cart
session_regenerate_id();

The sesssion id is regenerated and the user can now start over creating another shopcart.

会话 ID 重新生成，用户现在可以重新创建另一个购物车。

session_regenerate_id(): Cannot regenerate session id - session is not active

session_regenerate_id(): 无法重新生成会话 ID - 会话未激活

if(session_status() == PHP_SESSION_ACTIVE)
{
    session_regenerate_id();
}