es un ejemplo que agarre del libro php security.
copio tal cual estaba
This does eliminate the opportunity for an attacker to assign a simple session identifier such as 1234,
but the attacker can still examine the cookie or URL (depending upon the method of propagation) to
get the session identifier assigned by PHP. This approach is illustrated in Figure 4-4.
To address this weakness, it helps to understand the scope of the problem. Session fixation is merely
a stepping-stonethe purpose of the attack is to get a session identifier that can be used to hijack a
session. This is most useful when the session being hijacked has a higher level of privilege than the
attacker can obtain through legitimate means. This level of privilege can be as simple as being
logged in.
If the session identifier is regenerated every time there is a change in the level of privilege, the risk
of session fixation is practically eliminated:
Código PHP:
Ver original<?php
$_SESSION['logged_in'] = FALSE;
if (check_login())
{
$_SESSION['logged_in'] = TRUE;
}
?>