Why is it always recommended that session_regenerate_id() should be used before the user's session is created. As per my perception, session_regenerate_id() should be used once the user session id is created, and we need to re-generate it so as to mitigate the session fixation attack by the hacker.
Please suggest!!
I'm not sure where you've gotten recommendation from, but the session_regenerate_id manual shows it being used after session_start, so your assumptions would be correct.
From everything I have read the session_start() has to be called before anything else. The main idea is to create a new id each time so that if a hacker is on the same network, they will not have a static id to use to gain entry to your site. A good explanation of how this is done.
and here is an excellent answer that goes into more detail than the video:
