Description: ------------ I'm trying to destroy the current session id (and data) and create a new one with new data in the same script. I'm doing this to prevent session injections, because the attacker could select the session id which I want to prevent. So I need a possibility to change the session id after I destroyed the old one when I create a new one within the same script. I looked in the sources of HTTP/Session.php and came up with a small addition which would add the possibility to HTTP_Session::start() to change the session id if it's requested. I added an example script which uses my small addition and shows the difference between the "old" and "new" behavior. --- Session.php (0.5.3b) 2006-10-08 15:57:47.000000000 +0200 +++ Session.php (my change) 2006-10-08 15:59:17.000000000 +0200 @@ -140,15 +140,18 @@ * @param $name string Name of a session, default is 'SessionID' * @param $id string Id of a session which will be used * only when the session is new + * @param $changeSID boolean change the session id to a new on, if $id is + * specified this one is used, otherwise it is randomly + * generated * @return void * @see session_name() * @see session_id() * @see session_start() */ - function start($name = 'SessionID', $id = null) + function start($name = 'SessionID', $id = null, $changeSID = false) { HTTP_Session::name($name); - if (is_null(HTTP_Session::detectID())) { + if (is_null(HTTP_Session::detectID()) or $changeSID) { HTTP_Session::id($id ? $id : uniqid(dechex(rand()))); } session_start(); Test script: --------------- <?php require_once 'HTTP/Session.php'; HTTP_Session::useCookies( true ); HTTP_Session::start( 'mysession' ); echo 'session_id: ', HTTP_Session::id(), '<br>', "\n"; HTTP_SESSION::destroy(); # "old" version (result in "Actual result"): HTTP_Session::useCookies( true ); # "new" version (result in "Expected result"): HTTP_Session::useCookies( true, null, true ); # generate a new session id HTTP_SESSION::start( 'mysession' ); echo 'session_id: ', HTTP_Session::id(), '<br>', "\n"; ?> Expected result: ---------------- "new" result (just an example): session_id: 393f53b54529057b1aca2 session_id: 5e836a0f4529057f9b068 Actual result: -------------- "old" result (just an example): session_id: 14822e9845290214b48cf session_id: 14822e9845290214b48cf

But the problem with this solution is that I have to create the session id by myself. I would be much better if I could delegate this task to HTTP_Session. If the creation of the session id will ever change I would have to change all my own session ids to match the creation; for example a new security advice to make the sessions unique. This is an overhead. I know how session_regenerate_id() works so it would be nice if HTTP_Session would replicate this function. The best way would to achieve this would be to add a new function: HTTP_SESSION::regenerate(). Thanks in advance, Simon