Throughout the lifetime of a website, there will be many 'sessions'. Each of these sessions is identified by an ID, and is how the web site knows who is who and is able to keep state between different requests.
A session fixation attack is really only possible if you can get ahold of the session id. Some sites allow sessions to persist between different actual browsing sessions (aka 'Remember Me' functionality), and are more vulnerable to this attack if the same session id is used.
If I get ahold of your session id then I can impersonate you only so long as that session id is valid. Using session_regenerate_id
, the old ID becomes invalidated, making it useless to anyone who may have intercepted it. If you generate a new ID once a user successfully authenticates themselves, then any of the attempts at capturing a session identifier will no longer yield a valid identifier for an authenticated user (only the 'anonymous' session that the user had prior to authenticating themselves), meaning attackers can only 'impersonate' anonymous users.
Some more security conscious frameworks actually regenerate the session id within browsing sessions (using a timeout as low as 2-3 minutes) rather than just whenever a user logs in to help guard against people grabbing the session id via packet sniffing on the network. Session IDs can only be regenerated in response to a request.