Hi,
First things first... great work so far on the framework!
Quick question, I was wondering around the session class for database usage and notice the session ID is only regenerated in methods create() and rotate() (session driver class).
Is this done for a reason?
I always throught that the session ID should be updated with rotate() and when data is added to the session for extra security like passing an authentification process etc. In the past I have always regenerated the session ID nearly every time I have added and sometimes when I remove session data.
I could just add a regenerate_id() method, I ask as I would like to know which is best practise?
Thanks
The session class rotates the session id by default every 300 seconds, this is configurable in the session config.
The simpleauth driver in the Auth package rotates the session id after login or logout.
If you have your own authentication system, you can do the same, just call the sessions rotate() method.
Donate
