What are the potential security risks of not updating session IDs on page refresh?

When session IDs are not updated on page refresh, it increases the risk of session fixation attacks. An attacker could potentially fixate a session ID and then hijack the user's session, gaining unauthorized access to sensitive information or performing malicious actions on behalf of the user. To mitigate this risk, it is important to regenerate the session ID on each page load to prevent session fixation attacks.

// Regenerate session ID on each page load
session_regenerate_id(true);