PHP

PHP

Made by DeepSource

Manual generation of session ID detected PHP-A1008

Security
Critical
a02 cwe-330 sans top 25 owasp top 10 cwe-340

Generating session ID manually can allow an attacker to hijack another user's session. The application can become vulnerable if the session ID is not generated using a strong secure pseudo-random generator or, the session ID length is too short.

Therefore, it is discouraged to generate session IDs manually. Instead, always use language-specific function like session_regenerate_id() to generate new session IDs.

Bad practice

// Generating session ID from user provided data is security sensitive.
$sessionId = session_id($_POST['id']);

Recommended

$sessionId = session_regenerate_id();

References