0

I have a PHP login page (login_page.php) with <form method="post" action="login_handler.php> At the top of login_page.php I call session_start(); I store a control string $_SESSION['xss_check'] to prevent XXS.

After a user enters username & password and clicks login login_handler.php processes their credentials and redirects to the website logged in. Then at the top of login_handler.php I call session_start() again and session_regenerate_id(true)

To my understanding session_regenerate_id(true) saves old $_SESSION variables, creates a new session and deletes the old one.

My problem is that $_SESSION data is deleted by session_regenerate_id(true), and the old session is not deleted (my session storage folder piles up session files after each call. And my $_SESSION['xss_check'] variable is gone so my script fails and users can't login anymore. Now I'm not sure if I understand the use of session_regenerate_id() correctly or if i'm using it in the wrong place?

I read through a lot of posts and I can't find a solutions other than just not using session_regenerate_id() but I want to to prevent session fixation.

my code

    // start session; this runs at the top of every page as function to start or resume session  
    $cookieparams = session_get_cookie_params();
    $path = ini_get("session.save_path");
    $cookieparams['path'] = $path;
    session_set_cookie_params($lifetime, $cookieparams["path"], $cookieparams["domain"], false, true);
    setcookie('c_check', '1', 0);
    if  (session_start()) {
        if (isset($_COOKIE['c_check']) && $_COOKIE['c_check'] === "1") {
            $_SESSION['COOKIES_ON'] = true;
        } else {
            $_SESSION['COOKIES_ON'] = false;
        }
    } else {
        // session failed to start
    }


    // the next code runs at the start of login_handler.php to regenerate session
    session_regenerate_id(true);
    if (!isset($_SESSION['LIFETIME'])) {
        $_SESSION['LIFETIME'] = time();
    } else if (time() - $_SESSION['LIFETIME'] > 600) {
        session_regenerate_id(true);
        $_SESSION['LIFETIME'] = time();
    } else if (time() - $_SESSION['LIFETIME'] > $lifetime) {
        session_unset();
        session_destroy();
        header('Location: http://localhost/session_expired.php');
        exit();
    }

I'm sure I'm doing something wrong.... I just don't know what!
Any input is appreciated and thanks in advance!!

G4Hu
  • 338
  • 1
  • 3
  • 18
  • can you post the code so that we can replicate the problem? – Federkun Jan 23 '16 at 15:05
  • done! i hope this is sufficient to replicate the problem – G4Hu Jan 23 '16 at 15:20
  • Can you explain your second `if/ else if` block more ? What you are trying to accomplish there? – frz3993 Jan 23 '16 at 15:35
  • The second block `if / else if` is to set session timeout. I'm pretty sure it's not part of the problem. Code is based on http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes but the problem is caused by the `session_regenerate_id(true)` right before in my case – G4Hu Jan 23 '16 at 15:48

0 Answers0