Calling session_regenerate_id () on each page may be a little redundant, depending on your setup. This feature is used to prevent session hijacking and should be used when a user raises privileges (for example, logging in). Usually you switch to an https connection after the user logs in, which means that you only need to call session_regenerate_id () once, when a new cookie is transmitted through a secure connection and cannot be tapped. However, if you do not have an SSL certificate on your server, regenerating the session cookie on each page may be a good option.
When calling session_regenerate_id () you do not need to copy the session data. All this will take care of you with PHP. Basically, a new session token and cookie are created, the session data is copied to the session store that should be associated with the new token, and if you pass true as the only argument to the function, the old session data file on disk will be deleted.
What you store in the session to indicate whether the user is registered is up to you. I just simply keep a simple boolean to indicate if they are logged in, as well as other values โโcontaining usernames, name, etc. Then verifying that someone is logged in is simple like this:
<?php if ($_SESSION['logged_in']){ //User logged in } else { //User not logged in } ?>
NTN.
Jeremy
source share