1.2.1118. Should Use session_regenerateid()¶
session_regenerateid() should be used when sessions are used.
When using sessions, a session ID is assigned to the user. It is a random number, used to connect the user and its data on the server. Actually, anyone with the session ID may have access to the data. This is why those session ID are so long and complex.
A good approach to protect the session ID is to reduce its lifespan : the shorter the time of use, the better. While changing the session ID at every hit on the page may no be possible, a more reasonable approach is to change the session id when an important action is about to take place. What important means is left to the application to decide.
Based on this philosophy, a code source that uses ZendSession but never uses ZendSession::regenerateId() has to be updated.
<?php
session_start();
$id = (int) $_SESSION['id'];
// no usage of session_regenerateid() anywhere triggers the analysis
// basic regeneration every 20 hits on the page.
if (++$_SESSION['count'] > 20) {
session_regenerateid();
}
?>
See also session_regenerateid() and PHP Security Guide: Sessions.
1.2.1118.1. Suggestions¶
Add session_regenerateid() call before any important operation on the application
1.2.1118.2. Specs¶
Short name |
Security/ShouldUseSessionRegenerateId |
Rulesets |
|
Exakat since |
0.10.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
session |
Available in |