Am trying to prevent session hijacking and other forms of csrf attack on my site and everything seems to be working fine.
My question is that I have session_regenerate_id();
on both index.php and save.php files
Am I still protected against session hijacking and fixation attack etc or should I just remove session_regenerate_id(); from index.php
index.php
<?php
session_start();
session_regenerate_id();
//$token= md5(uniqid());
$token = md5(uniqid().$_SERVER['REMOTE_ADDR']);
$_SESSION['update_token']= $token;
session_write_close();
?>
<html>
<body>
<form method="post" action="save.php">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="submit" value="submit" />
</form>
</body>
</html>
save.php
<?php
session_start();
session_regenerate_id();
$token = $_SESSION['update_token'];
unset($_SESSION['update_token']);
session_write_close();
if ($_POST['token']==$token) {
// insert into database via PDO
} else {
// session attack detected.
}
?>