This is a very specific question regarding when exactly to call session_regenerate_id()
. Is there a difference or security risk between calling session_regenerate_id()
before or after setting a secure value in session.
Before setting a value:
if ($login_success) {
session_regenerate_id(true);
$_SESSION['login_status'] = 'logged_in';
}
Or after setting a value in session:
if ($login_success) {
$_SESSION['login_status'] = 'logged_in';
session_regenerate_id(true);
}