Explanation for session_regenerate_id() proper usage

Question

I am trying learning about session and security, and the first step seems to strengthen the session by using session_regenerate_id() unfortunately, a good documentation has not being given as to how, and why we should be even using it in the first place. So, I checked some answers like this Using Session_regenerate_id() in SO, which actually fail to provide any proper usage and how it protects the page from session fixation/hijacking.

I am always using something like this (for simple login script, I know about mysql injection, this is example)

if($_POST){
   $username = mysql_real_escape_string($_POST['username']);
   $password = mysql_real_escape_string($_POST['password']);
   $query = mysql_query("SELECT * 
                        FROM users
                        WHERE username = '$username'
                        AND password = '$password' ");
 $row = mysql_fetch_array($query); 

if($row){
   $_SESSION['LoggedIn'] = md5($username); 
}

Now, I check using this method to verity and give accesss to logged in users

if(isset($_SESSION['LoggedIn']) && !empty($_SESSION['LoggedIn'])){
 //giv access to secured page
}else{
 //redirect to login page
}

So, my question is how does session_regenerate_id() help me strength the session and how to use it properly

Answer 1

Regenerating the ID protects against session fixation, where an attacker takes someone else's session ID as their own by adjusting the session ID in their cookies.

As an example situation:

1. I go to www.nsa.gov on Edward Snowden's computer while he's at lunch.
2. I note his PHPSESSID cookie.
3. I wait for him to log in to the super-secure system.
4. I can now set my PHPSESSID value to his and have his access.

Regenerating the session on login and privilege escalation means the ID I'd grabbed is now useless.

Answer 2

(1) Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

(2) You prevent session fixation by using session_regenerate_id() immediately after verifying the user's login information and before you show the first page that requires authentication.