On php login pages is it good practice to delete the previous session in case the user didn't log out properly or is this overkill?
I also read this in the manual comments about session id
Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table, or better store the ip as a session variable itself, once the user logs in and ensure that this is continued for remaining pages for security. This ofcourse wont work when users use the same office or shared network as the ip to the outside world is the same.
I've seen people check the session id as an authenticatiob method (if(!isset($_SESSION['id']
))) but id rather not check the session_id as this doesnt seem secure because of hijacking/fixation. Is it ok to regenerate the session_id on every other page?
As far as i am aware i dont need to use the session id for anything , or is there something I have overlooked and do need it?In essence I'm checking I'm not losing my session id when i might need it later