Rectangle 27 0

Use http_only cookie flag, which will prevent the hijacking of your session id through xss attacks. It is supported in almost all modern browsers. For older browsers make sure you don't have xss vulnerability in your code. Also use the secure flag, if possible to secure it on network layer.

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

You can also regenerate on time basis or count basis. Hope it helps!

it's good practice to use session_regenrate_id, but use it wisely. Take some variable inside session, it may be time or counter. For each request check it, if expired then regenerate your session id like... if( $_SESSION['counter'] % 1000 == 0 ){regenerate} or if( $_SESSION[ 'time' ] > time() + 1hr in sec){regenerate}

php - session_regenerate_id(true) invalid session on ajax requests or ...

php session
Rectangle 27 0

Here is a sample of how to only regenerate the session id every 5 minutes for example:

// Sets the session name to the one set above.
session_name($session_name);

// Start the PHP session
session_start();             

// Set last regen session variable first time
if (!isset($_SESSION['last_regen'])) {
    $_SESSION['last_regen'] = time();
} 

// Set session regeneration time in seconds
$session_regen_time = 60*5;

// Only regenerate session id if last_regen is older than the given regen time. 
if ($_SESSION['last_regen'] + $session_regen_time < time()){
    $_SESSION['last_regen'] = time();
    session_regenerate_id(true);   
}

Does not work with quick page refreshes and ajax calls. I faced this behaviour multiple times - session id is regenerated with session_regenerate_id(true) - but for some (stupid?) reason php still beleives in old session id, which became outdated and as a result $_SESSION is empty.

php - session_regenerate_id(true) invalid session on ajax requests or ...

php session
Rectangle 27 0

Maybe because the Facebook PHP SDK is not ajax and we are using PHP pages and our servers load faster than the authentication process from Facebook to read back a valid session. what the Facebook PHP SDK requires is something to refresh the page on session validation from our apps, this should be built in to the Facebook Javascript SDK but it looks like it isn't.

Facebook PHP SDK session lost, needs JS SDK refresh - Stack Overflow

php facebook facebook-graph-api facebook-php-sdk connect