System Template

session.newID() - Available since version 1.3.5

Allocate a new session ID and move data from old to new ID

See Also

Syntax

string = rb.page.session.newID()

Parameters

The 'session.newID' method takes no parameters

Results

The 'session.newID' method returns string:

Remarks

The Whitebeam Session Tracking mechanism identifies client sessions and allocates each of those sessions a unique ID. Generally once a sessionID has been allocated it remains for the duration of that session. There are however security reasons where changing the session ID provides an extra level of security. The following example illustrates this case:

1. Vistors arrives at a site's home page triggering the allocation of a new sessionID by the system.
2. Having viewed a number of pages the user visits a secure SSL 'login' page
3. The user logs in and can then view sensitive private data

In this scenario the initial page views take place in plain text and could be snooped by suitable network equipment. This would make available the private sessionID in use by that visitor. Once the visitor logs in all an attacker needs to do is make use of the sessionID to view all information associated with the visitor.

rb.page.session.newID() helps prevent this type of attack by allowing an application to allocate a new sessionID for an existing session. This would happen during the login process. This would mean the old sessionID would never hold authentication data for the user. The newID() method does two things:

1. Allocates a new random session ID for this visitor
2. Copies all data stored against the old ID to the new ID
3. Deletes all data associated with the old ID and invalidates that ID

The method returns the new sessionID for the current session.