Re: Why are they more secure?

On Apr 1, 12:52=A0am, Toby A Inkster
wrote:
> Gordon wrote:
> > The session_regenerate_id function in PHP mitigates this problem
> > somewhat, it cause a user with a valid session ID to be assigned a
> > different ID for every call.
>
> And will probably end up logging visitors out if they have more than one
> of your pages open simultaneously in a tabbed browser.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 5 days, 11:11.]
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Cognition 0.1 Alpha=
6
> =A0 =A0 =A0 =A0 =A0http://tobyinkster.co.uk/blog/2008/03/29/cognition-alph=
a6/

Every security technique has its cost. You have to decide whether the
cost of losing tabs is worth the additional protection against session
fixation or not. The answer will depend on the criticality of
security to your web app.