So in Laravel documentation it says that we "should regenerate the user's session to prevent session fixation"
But when I Auth::login($user) I see that session updates to a different id already.
// AuthController
public function __invoke() {
// session()->getId(): a111
Auth::login($user);
// sesId: a222
$request->session()->regenerate();
// sesId: a333
}
//
So in my understanding Laravel's login() already regenerate session id. Or I'm missing something?
To escape the threats arising from session fixation attacks. A session fixation attack occurs when an attacker or a hacker tricks your users into using a session the hacker already has control over. The hacker might have acquired the session ID through a cross site scripting attack or through a click bait. Once the user clicks on the click bait link then the attacker gains access to the user's session ID which is usually embedded in the request the browser sends to the server. That is why you need to change the session state by regeneration a new session ID every time a user logs in.
Protecting the session is very important as sensitive info is usually stored in the session variable such as usernames, emails etc. A hacker can use those to hack into your credit card and other accounts.