After logging a user into your system you should invalidate the previous session identifier so an attacker doesn’t have the chance to steal an authenticated session id. In PHP the PHPSESSID cookie is our session identifier and it should be changed after logging in. Its as easy as running session_regenerate_id()

<?php
// Example: user's PHPSESSID cookie value is gar2ds01sd1xudj9dadad90r80
session_regenerate_id();
// Example: user's PHPSESSID cookie value is sew5dw25sx9poiu6trewb95v90
//Now we can set some session data tied to the new identifier
$_SESSION['name']="Michael Jordan";
$_SESSION['AccountBalance']=1000000.00;

view raw
sessionfixation.php
hosted with ❤ by GitHub

which will change your PHPSESSID to a different value

If you don’t change the session identifier an attacker may try to set the user’s PHPSESSID cookie to a value they know and then after the user authenticates, the attacker can now do any actions your application allows for authenticated users.