I'm just curious. There are methods I've seen where the session id is being updated. I know the importance of the session but I what I don't get is why we the session ID is being updated.
Here in CodeIgniter (PHP framework), the session id is updated every 5 minutes by default. Is it a security issue we're talking about here? Just wanna know. Thanks to whoever answers! :)
分享 it HAS to be updated frequently.
lets say YOU logged in to some online baking site. of course you have a unique session id for your session. BUT, if it is not frequently updated, someone could just take your session ID using some XSS tricks, plug your session id in to his browser and poof! he is logged in using your credentials!
and the server will never know that it wasn't you anymore who is accessing the site since he used your own session id.
分享
