phpsessionsessionidsession-hijacking

Is PHP's session_regenerate_id() collision free?


I currently working on a project in PHP (7.2). I call the session_regenerate_id() function on every request to prevent session hijacking attacks, (It is a small part in the whole process of detecting an hijacked session).

The question is the following: I expect to manage many sessions on my server, Should i check if the new session_id() value (after i called session_regenerate_id()) is used by another (existing) session? In other words: Is session_regenerate_id() collision free?

I know the function session_create_id is collision free when used in an active session (after session started), but the manual doesn't mention that about the session_regenerate_id function.

Any ideas / suggestions? Thank you.


Solution

  • Yes. session_regenerate_id calls session_create_id so it's also collision free:

    sid = php_session_create_id((void**)&data);