I've replaced the somewhat buggy CodeIgniter session library with my own native session implementation.
Both act in the same way, and change the session ID after a certain period of time, and both suffer the same issue, for the sake of this question lets say the session is regenerated each minute.
When a user views a page, and waits one minute, on the next page request the session ID would be regenerated. However there is an issue when the users request times out or if they "double refresh" the page. The browser does not receive the new cookie, which therefore starts a new session on the next request. So if the user hits refresh at the point in which the ID is regenerated and hits refresh again in quick succession, they lose their session.
I know changing the session ID is a good idea to prevent session fixation but is there any way around this issue? Obviously increasing the time in which the ID is regenerated will limit the possibility of this happening but it still seems likely to happen.
Thanks for your help!
