Is it important to change session on each page request?

Question

It causes conflicts when the user open another page on another window/tab. So how to prevent these conflicts? One way is to set session same for each page the same..every time the user logout/logins the session will be regenerated.

<?php
//every page sets its own session if its not ajax so that it dont expire
if(is_ajax()){
$_SESSION['token'] = md5(rand());
}

echo '<div id="token">'.$_SESSION['token'].'</div>';
?>

tokens will be passed from div.token to perform ajax requests by jquery. but then when the user opens another tab new session is set then the other page returns 'Invalid Request' error.

Do you mean change session id? Why do you need to regenerate a new one for each page load? And why does it cause issues on new tabs - do all URLs have a token? — alex, Jan 25 '11 at 00:46
yes all pages have tokens that will be used on ajax requests and form submissions — kornesh, Jan 25 '11 at 00:56
anyone!? at least any other methods to CSRF protect AJAX requests — kornesh, Jan 25 '11 at 02:11

score 1 · Accepted Answer · edited May 23 '17 at 11:55

1

Having multiple pages or tabs open should not interfere with the session. If it does, you're probably putting a bit too much into the session.

What are you storing in the session? It sounds like you're probably storing something in the session that belongs in the URL.

Edit: After seeing your edit, you may want to check out the top answer in this question:

PHP - CSRF - How to make it works in all tabs?

edited May 23 '17 at 11:55

Community

1
1

answered Jan 25 '11 at 00:45

ClosureCowboy

20,825
13
57
71

im just storing random md5 hash to prevent CSRF attacks. – kornesh Jan 25 '11 at 00:57

Is it important to change session on each page request?

1 Answers1