0

my code is simple:

<?php
session_start();
session_regenerate_id();
?>

When the first time I request this page, the HTTP request with no cookie, then it will response with two 'set-cookie:PHPSESSID=xxxxxx' Then I thought that I may write code like this:

<?php
session_start();
if(!empty($_SERVER['HTTP_COOKIE'])){
    session_regenerate_id();
}
?>

While then, whether my HTTP request with cookie: PHPSESSID=xxxxxx or not, it will responses with only one 'set-cookie:PHPSESSID=xxxxxx'

However, my solution is very awkward. Any professional PHPer can tell me, how to write a professional code to handle the problem which is the HTTP request may with cookie 'PHPSESSID' or without cookie 'PHPSESSID'.

user8568148
  • 1
  • 1
  • 1
    It is not clear what the code tries to achieve by using `session_regenerate_id();`. What is the purpose of this statement? – PaulH Jul 05 '16 at 08:06
  • 1
    There's no reason to regenerate the session id as soon as you're spawning the session : http://stackoverflow.com/questions/22965067/when-and-why-i-should-use-session-regenerate-id – CD001 Jul 05 '16 at 08:07
  • I want to use session_regenerate_id() to solve the session fixation problem. That my original purpose – user8568148 Jul 18 '16 at 00:55
  • I just write down a simple code here, actually there is some code between session_start() and session_regenerate_id(), but they are just handling HTTP POST data – user8568148 Jul 18 '16 at 00:58

2 Answers2

0

Have a look at session_start()

session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.

So when you not want that PHPSESSION-Cookie you need to remove session_start()

jmattheis
  • 10,494
  • 11
  • 46
  • 58
0

Set cookie with setcookie('cookie_name', 'some_value') and then get the cookie with $_COOKIE['cookie_name']. Check difference for cookie and session so you are sure you need a cookie for your operation :)

Mário Kapusta
  • 488
  • 7
  • 19