SecureCloud-biz · July 12, 2014 23:02
diff --git a/PHP_Server_Generated_SESSION.php b/PHP_Server_Generated_SESSION.php
 <?php
 //   [Accept only server-generated SIDs]
 //   One way to improve security is not to accept session identifiers that were not generated by the
 //   server. However, as noted above, this does not prevent all session fixation attacks.
 
 if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
   session_destroy(); // destroy all data in session
 }
 session_regenerate_id(); // generate a new session identifier
 $_SESSION['SERVER_GENERATED_SID'] = true;
 
 
 //   [Logout function]
 //   A logout function is useful as it allows users to indicate that a session should not allow further
 //   requests. Thus attacks can only be effective while a session is active. Note that the following
 //   code performs no Cross-site request forgery checks, potentially allowing an attacker to force users
 //   to log out of the web application.
 
 if ( logout )
   session_destroy(); // destroy all data in session
 
 ?>
	<?php
	// [Accept only server-generated SIDs]
	// One way to improve security is not to accept session identifiers that were not generated by the
	// server. However, as noted above, this does not prevent all session fixation attacks.

	if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
	session_destroy(); // destroy all data in session
	}
	session_regenerate_id(); // generate a new session identifier
	$_SESSION['SERVER_GENERATED_SID'] = true;


	// [Logout function]
	// A logout function is useful as it allows users to indicate that a session should not allow further
	// requests. Thus attacks can only be effective while a session is active. Note that the following
	// code performs no Cross-site request forgery checks, potentially allowing an attacker to force users
	// to log out of the web application.

	if ( logout )
	session_destroy(); // destroy all data in session

	?>