What's the point of changing session ids on login?

That's the whole point of sessions. They get destroyed on logout and regenerated on login?

That would make sense to me if there was only a session when the user was logged in, but I believe Laravel always has a session regardless of whether the user is authenticated or not so based on that I don't get why the session id is changed on login.

@bashy, You could keep the session id you had before logging in once you log in and just append the "logged in" information to that session id and go on your merry way. However, the danger here is session hijacking. If someone is sniffing your wifi when you login, they will be able to pretend they are you and be logged in as well. But if you change the session id, it offers another layer of security, making it harder for the perpetrator to hijack your session. I don't know exactly how it all works, but I understand this to be a best practice and that is [one of] the reason[s] why.

In addition to @pstephan1187 's answer, the following links have some good discussions as well:

http://security.stackexchange.com/questions/1246/session-hijacking-regenerate-session-id

http://stackoverflow.com/questions/7461835/is-regenerating-the-session-id-after-successful-login-sufficient-to-prevent-sess

Oh I get what you mean now. Non-auth session ID gets regenerated upon logging in.

Hi, i am using session to add items to shopping cart and now all my cart is lost upon login

See here, no solution :(

http://www.reddit.com/r/laravel/comments/2u367x/need_help_how_can_i_keep_my_session_id_on_login/

@peter-mw, you need to start your own thread. You won't get good answers posting your question at the end of another person's thread. Someone should be able to help you there :)

hey can anyone tell me, on login page of my website if i change the original session id to random one but with same length of 41 characters and able to login. then would that count as a vulnerability.