I currently working on a project in PHP (7.2). I call the session_regenerate_id() function on every request to prevent session hijacking attacks, (It is a small part in the whole process of detecting an hijacked session).
The question is the following: I expect to manage many sessions on my server, Should i check if the new session_id() value (after i called session_regenerate_id()) is used by another (existing) session? In other words: Is session_regenerate_id() collision free?
I know the function session_create_id is collision free when used in an active session (after session started), but the manual doesn't mention that about the session_regenerate_id function.
Any ideas / suggestions? Thank you.
Yes. session_regenerate_id calls session_create_id so it's also collision free:
sid = php_session_create_id((void**)&data);