session_regenerate_id() vs session_id(randomString) [英] session_regenerate_id() vs session_id(randomString)

问题描述

session_id($randomString) 和 session_regenerate_id() 的区别是什么?两者似乎都改变了会话 ID:

What is the distinct difference between session_id($randomString) and session_regenerate_id()? Both seem to change session id:

session_regenerate_id() 会将当前会话 ID 替换为新的 ID，并保留当前会话信息.

session_regenerate_id() will replace the current session id with a new one, and keep the current session information.

session_id() 用于获取或设置当前会话的会话 ID.

session_id() is used to get or set the session id for the current session.

如果我猜对了，session_regenerate_id() 会创建一个新的会话文件并复制数据，并提供删除旧文件的选项；而 session_id($randomString) 只是更改现有文件中的会话 ID.

If I get it right, session_regenerate_id() creates a new session file and copies data over with an option to delete an old file; whilst session_id($randomString) just changes the session id in the existing file.

如果是这样，复制文件有什么好处?从防止会话固定的角度来看，它如何更好?

If so, what are the benefits of copying files? How is it better from preventing session fixation point of view?

这个答案以及我发现的任何其他答案都没有回答我的问题.

This answer, nor any other I found, does not answer my question.

推荐答案

好的，所以我做了一些测试以找出三个不同选项( session_id($id) after session_start()、session_regenerate_id() 和 session_regenerate_id(true)).这是实际发生的结果:

OK, so I did some testing to find the differences in the three different options (session_id($id) after session_start(), session_regenerate_id() and session_regenerate_id(true)). This is the result of what actually happens:

在 session_start 之后调用 session id 函数会改变 session id.在页面加载结束时，当前会话内容将写入一个新的会话文件.这也将保留旧的会话文件，并且不会随任何更改而更新.但是，session_id 不会发送新的会话 cookie.这是由 session_start 完成的，即使 session_id 在 session_start 之前被调用.在下一个页面加载时，旧会话 ID 被传递并加载与上次页面加载开始时相同的数据(新会话更改将保存到新 ID).

Calling the session id function after session_start will change the session id. At the end of the page load, the current session contents will write a new session file. This will leave the old session file as well and it won't be updated with any changes. However, session_id doesn't send out a new session cookie. This is done by session_start, even when session_id is called before session_start. On the next page load, the old session id is passed and loaded with the same data as the start of the last page load (new session changes would have been saved to the new id).

session_regenerate_id() 将创建和更改会话 ID，将会话传输到新文件并发送 cookie.传递 true 作为参数也会删除旧的会话文件，省略参数会保留它.

session_regenerate_id() will create and change the session id, transferring the session to the new file and send out the cookie. Passing true as an argument will also delete the old session file, omitting the argument will leave it.

就会话固定而言，session_id($id) 和 session_regenerate_id() 实际上会更糟，因为您正在创建新会话而保留旧会话文件被劫持.唯一可能有助于固定的选项是调用 session_regenerate_id(true) 传递参数.

As far as session fixation, both session_id($id) and session_regenerate_id() would actually be worse as you are creating new sessions while leaving the old session files around to be hijacked. The only option that might help with fixation would be to call session_regenerate_id(true) passing the argument.

这篇关于session_regenerate_id() vs session_id(randomString)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！