Document id(true) in README

Question

Document id(true) in README

SaphiLC opened this issue 7 years ago · 4 comments

Docs are missing the ID function, i think its important to know you can regenerate the session with that

Answer 1 · 2017-10-05T14:32:37.000Z

That variant is for emergency. Regenerating ID keeps data on server, but user may have a bad connection and loose all the data, giving more work to the server. Tell me a practical use case for that.

Answer 2 · 2017-10-05T21:05:46.000Z

practical use? to prevent session fixation attack,

bool session_regenerate_id ([ bool $delete_old_session = false ] )

its recommended to run regenerate_id after any important interaction with the server (login in, changing password...) and at random times

Answer 3 · 2017-10-06T14:39:11.000Z

Please link to the source about that, because the docs about session_regenerate_id don't say it.
For session fixation please encrypt your sessions instead of monkey-patching an existing one.

Answer 4 · 2017-10-06T23:57:25.000Z

Yeah, illuminate/session is one of the best existing ones, and manages much things this package does not, but this one was meant to be simple and usable, only with native sessions (as described in the README).
Security things are being addressed in #21 so looks like you either didn't read other issues before posting yours.