Manual generation of session ID detected PHP-A1008

Generating session ID manually can allow an attacker to hijack another user's session. The application can become vulnerable if the session ID is not generated using a strong secure pseudo-random generator or, the session ID length is too short.

Therefore, it is discouraged to generate session IDs manually. Instead, always use language-specific function like session_regenerate_id() to generate new session IDs.

Bad practice

// Generating session ID from user provided data is security sensitive.
$sessionId = session_id($_POST['id']);

Recommended

$sessionId = session_regenerate_id();

References

• OWASP Top 10:2021 > A02 - Cryptographic Failures
• OWASP Top 10:2017 > A03 - Sensitive Data Exposure
• CWE-330: Use of Insufficiently Random Values
• CWE-340: Generation of Predictable Numbers or Identifiers
• Session fixation