search for in the  
<session_namesession_register>
Last updated: Thu, 19 May 2005

session_regenerate_id

(PHP 4 >= 4.3.2, PHP 5)

session_regenerate_id --  Update the current session id with a newly generated one

Description

bool session_regenerate_id ( void )

session_regenerate_id() will replace the current session id with a new one, and keep the current session information.

Returns TRUE on success or FALSE on failure.

Example 1. A session_regenerate_id() example

<?php
session_start();

$old_sessionid = session_id();

session_regenerate_id();

$new_sessionid = session_id();

echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";

print_r($_SESSION);
?>

Note: As of PHP 4.3.3, if session cookies are enabled, use of session_regenerate_id() will also submit a new session cookie with the new session id.

See also session_id(), session_start(), and session_name().



User Contributed Notes
session_regenerate_id
Robert Chapin
06-May-2005 03:25
This function does not work when called from a custom session handler!

I will add details on the page for session_set_save_handler()

-- Miqro
chris at knowledge dot tee-vee
16-Jan-2005 07:51
licp - no, session_regenerate_id() does not destroy any saved session data.

elger, I prefer the following order

[code]
// populate $_SESSION with any previously saved session data for the current session_id
session_start(); 
...
// delete any saved data associated with current session_id, $_SESSION is not changed
session_destroy();

// change session_id, $_SESSION not altered
session_regenerate_id();
...
// save any $_SESSION data under the current session_id
session_close();
[/code]
licp at hotmail dot com
06-Jan-2005 10:07
By inspecting the source code, I am not sure that after session_regenerate_id() run, the original session data does not destroy (still keeps at the system) that sniffers still hijack by applying original session identifier.

In addition, I find that if user-level session storage handler is used. session_regenerate_id() does not work.
php at cny dot de
20-Dec-2004 11:08
Also note that REMOTE_ADDR may change on every request if the user comes through a proxy farm. Most AOL-users do.
ross at kndr dot org
15-Nov-2004 05:41
In a previous note, php at 5mm de describes how to prevent session hijacking by
ensuring that the session id provided matches the HTTP_USER_AGENT and REMOTE_ADDR fields that were present when the session id was first issued.  It should be noted that HTTP_USER_AGENT is supplied by the client, and so can be easily modified by a malicious user.  Also, the client IP addresses can be spoofed, although that's a bit more difficult.  Care should be taken when relying on the session for authentication.
elger at NOSPAM dot yellowbee dot nl
28-Oct-2004 04:10
Take good notice of the new cookie being sent on calling session_regenerate_id on cookie-enabled sessions.
Make sure your page is reloaded otherwise you'll get an "session_destroy(): Session object destruction failed" error. So here are the examples:

Wrong:
<?php
   session_start();
   session_regenerate_id();
   session_destroy();
?>

Correct-like:
<?php
if (!$_GET['mode']){
   session_start();
   session_regenerate_id();
   header('location: '.$_SERVER['REQUEST_URI'].'?mode=destroy');
} else {
   session_start();
   session_destroy();
}
?>

I noted this because googleing on the previous mentioned error leads to all kinds of bug reports, but not to the solution. (which is, of course, to read the manual)
timo at frenay dot net
26-Aug-2004 01:32
This function is vital in preventing session fixation attacks, but is unfortunately missing in PHP versions prior to 4.3.2. This creates a serious security problem if you can't update your PHP version, like me. Therefore I attempted to port this function to PHP itself:

<?php
   if (!function_exists('session_regenerate_id')) {
       function php_combined_lcg() {
           $tv = gettimeofday();
           $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']);
           $lcg['s2'] = posix_getpid();

           $q = (int) ($lcg['s1'] / 53668);
           $lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q);
           if ($lcg['s1'] < 0)
               $lcg['s1'] += 2147483563;

           $q = (int) ($lcg['s2'] / 52774);
           $lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q);
           if ($lcg['s2'] < 0)
               $lcg['s2'] += 2147483399;

           $z = (int) ($lcg['s1'] - $lcg['s2']);
           if ($z < 1) {
               $z += 2147483562;
           }

           return $z * 4.656613e-10;
       }

       function session_regenerate_id() {
           $tv = gettimeofday();
           $buf = sprintf("%.15s%ld%ld%0.8f", $_SERVER['REMOTE_ADDR'], $tv['sec'], $tv['usec'], php_combined_lcg() * 10);
           session_id(md5($buf));
           if (ini_get('session.use_cookies'))
               setcookie('PHPSESSID', session_id(), NULL, '/');
           return TRUE;
       }
   }
?>

To test this:
<?php
   session_start();
   $sid = session_id();
   session_regenerate_id();
   echo "Old session ID: ", $sid, "\nNew session ID: ", session_id(), "\n";
?>

- will output something similar to:
Old session ID: 6e3521f44be4fc452b368e703f044ca1
New session ID: 1c6dac9a3e794f164d4115872b902471
babel at nosqamplease sympatico ca
22-Feb-2004 10:48
To add to php at 5mm de's comments:

If the session is held over https, it's even better to save the client's cert or ssl session id instead of the hostname or ip, as it's proxy-transparent and more secure.
php at 5mm de
05-Sep-2003 08:01
This feature seems to create a new session ID without clearing the old session data. This is a very important feature for security validation:

$usedns = TRUE; // for eliminating failture by proxys using IP chains, but slower

$useragent = getenv("HTTP_USER_AGENT");
$host = getenv("REMOTE_ADDR");
$dns = $global['dns'] ? @gethostbyaddr($host):$host;

session_start();

if(session_is_registered('securitycheck')) {
   if(
           (($_SESSION['session']['host'] != $this->host) && !$usedns)
         || ($_SESSION['session']['dns'] != $this->dns)
         || ($_SESSION['session']['useragent'] != $this->useragent)
   ) {
       session_regenerate_id();
       session_unset();
   }
} else {
   $currentdata = array();
   $currentdata['host'] = $this->host;
   $currentdata['dns'] = $this->dns;
   $currentdata['useragent'] = $this->useragent;
  
   session_register('securitycheck', $currentdata);
}

If sombody steals an active SID (e.g. by referrer or injection attack), he canīt be validated because of either the host / dns or useragent and will get a new (empty) SID, without interrupting the original session.

Please mail me for any comments: php at 5mm de
madsen at sjovedyr.dk
27-Aug-2003 09:26
I had problems with a proxy changing a visitors session_id-cookie, so he'd get a LOT of errors when visiting my site.
I handled the bogus session-id's like this. (Note: It only works in versions > 4.3.2.)

<?php
// Start a session and suppress error-messages.
@session_start();

// Catch bogus session-id's.
if (!preg_match("/^[0-9a-z]*$/i", session_id())) {

   // Output a warning about the messed up session-id.
   $error->handleError("WARN", "Your session id is messed up, you might not be able to use some features on this site.");

   // Generate a fresh session-id.
   session_regenerate_id();
}

// Site contents.
?>

Hope someone can use it.

<session_namesession_register>
 Last updated: Thu, 19 May 2005
Copyright © 2001-2005 The PHP Group
All rights reserved.		 This unofficial mirror is operated at: The Server Pages
Last updated: Thu May 19 17:35:34 2005 CDT