Understanding (or not) Sessions and session_regenerate_id
-
new to php and trying to understand the use of and management of sessions assumptions are: The entire site would be https and users would have to login to do anything and clicking on a saved link would realise the user wasn't logged in and auto redirect to the login page session seems to be the appropriate? way to control whether logged in or not by doing session_start() at the beginning of each page and then looking at the variables that are set by the login page my searching and reading suggests that sessions can be copied/hijacked and used to access pages as a user and certainly closing the page and then re-opening doesn't crash the session although closing the browser does question 1. providing my logout function clears the session using array() and then destroys it, is there any other reason/time for me to use session_regenerate_id() ? question 2. if hijacking/copying is possible how does a regular (timed?) obliterate, destroy, regenerate help this in any way? because it seems to me that my target page wouldn't be able to tell the difference between a copy and a valid new session question 3. is there anything else I need to do for good practice