Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Why is Session ID re-generated?
Why is Session ID re-generated?
  • El Forum
    Guest
  •  
#1
11-12-2010, 12:40 AM

[eluser]Unknown[/eluser]
I have noticed that session_id is updated every 5 mins along with last_activity. And it says so in the User Guide.

Quote:The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)

Why is that when the user is still using the system? Does it make CI more secure?

Also, would it be possible to update only last_activity every 5 mins and leave session_id alone as long as the session lasts?

I am sorry if this was explained elsewhere. Could not find it.
  • El Forum
    Guest
  •  
#2
11-12-2010, 02:40 AM

[eluser]WanWizard[/eluser]
It is do deal with something called session fixation.

If you don't rotate the session ID, the time available for a hacker to do something with it increases. Now, if someone intercepts a session cookie, they have a maximum of 5 minutes to do something with it, before it becomes invalid.




Theme © iAndrew 2016 - Forum software by © MyBB