If I don't send session ID by url do I need to cycle my session id on login

Question

I've heard that my site can get attacked by hackers who:

1. Go to my site to start a session.
2. Somehow get a client to go to my site with the same session ID
3. The client logs in
4. When the attacker comes back to my site with the session id he has full access to that clients account.

I can see this being done if the session ID is passed by url and it makes sense to cycle it (session_regenerate_id) but is this needed if I just use session_start and I don't put the session id in url at any point in time?

Answer 1

Well, if the session ID is only transferd by a cookie (is not in the URL and you do not accept one in the URL) then it is not that important to protect against session fixation attacks by recycling the session ID.

However it is still good practice, as this could also help against a session cookie which was laying around longer time (and potentially be placed by a former user). So with most security practices it is the same here: just do it, even if you cant find a way it might get exploited.