System Template
session.newID()
- Available since version 1.3.5
Allocate a new session ID and move data from old to new ID
See Also
rb.page.session.id() Syntax
string = rb.page.session.newID()
Parameters
The 'session.newID' method takes no parameters
Results
The 'session.newID' method returns string:
Type/Value | Range/Length | Description |
string |
  | Return the session ID.
|
Remarks The Whitebeam Session Tracking mechanism identifies client sessions and allocates each of those
sessions a unique ID. Generally once a sessionID has been allocated it remains for the duration of that session.
There are however security reasons where changing the session ID provides an extra level of security. The following example
illustrates this case: - Vistors arrives at a site's home page triggering the allocation of a new sessionID by the system.
- Having viewed a number of pages the user visits a secure SSL 'login' page
- The user logs in and can then view sensitive private data
In this scenario the initial page views take place in plain text and could be snooped by suitable
network equipment. This would make available the private sessionID in use by that visitor. Once the visitor
logs in all an attacker needs to do is make use of the sessionID to view all information associated
with the visitor. rb.page.session.newID() helps prevent this type of attack by allowing an application to allocate a new
sessionID for an existing session. This would happen during the login process. This would mean the
old sessionID would never hold authentication data for the user. The newID() method does two things: - Allocates a new random session ID for this visitor
- Copies all data stored against the old ID to the new ID
- Deletes all data associated with the old ID and invalidates that ID
The method returns the new sessionID for the current session. |