Session hijacking - fixation

PHP
1

Hi, I set up a log-in system by 2 pages…

1- access.php:


<form action="log_in.php" method="POST" >

<fieldset>
          <p>
            <label for="username">Username:</label>
            <input type="text" name="username" id="username" />
          </p>
           <p>
            <label for="password">Password:</label>
            <input type="password" name="password" id="password" />
          </p>

  <input type="submit" name="button" id="button"  value="log in" />
        </fieldset>
      </form>

2- log_in.php:


ini_set('session.entropy_file', '/dev/urandom/');  //are ini_set functions in the right place?  did I use them properly?	
ini_set('session.entropy_lenght', '512');
ini_set('session.hash_function', '256');
ini_set('session.hash_bits_per_character', '6');
ini_set('session.cookie_secure', 0);
ini_set('session.cookie_httponly', 1);
ini_set('session.use_only_cookies', 1);
session_start();
if (empty($_POST) === false) {
	$username = str_replace("\\\\","",$_POST['username']);
	$password = str_replace("\\\\","",$_POST['password']);     		
	if(empty($username) === true || empty($password) === true){
	    $errors[] = "enter username and password";
	}else if (user_exists($username) === false){     // i check if username exists
	   $errors [] = "user doesn't exist";			
	} else if (user_active($username) === false){  // i check if user's account has been activated
	   $errors [] = "your account not active yet";
	}else if (preg_match("/\\\\s/", $_POST['username']) === 1){
	   $errors[] = "username not allowed";									
	}else if ((preg_match('/[A-Z]|[!|"|£|)|(|$|%|&|(|)|{|}|=|?|^|€|[|°|.|+|*|<|>|;|,|:|]/', $_POST['username'])) OR (preg_match("/'|ì|é|è|ò|à|ù|#|@|§|]/", $_POST['username']))){
	   $errors[] = "username not allowed";
	} else if (is_numeric(strpos($_POST['username'],"/"))){
	   $errors[] = "username not allowed";
	}else if (preg_match("/\\\\s/", $_POST['password']) === 1){
	   $errors[] = "password not allowed";									
	}else if ((preg_match('/[A-Z]|[!|"|£|)|(|$|%|&|(|)|{|}|=|?|^|€|[|°|.|+|*|<|>|;|,|:|]/', $_POST['password'])) OR (preg_match("/'|ì|é|è|ò|à|ù|#|@|§|]/", $_POST['password']))){
	   $errors[] = "password not allowed";
	} else if (is_numeric(strpos($_POST['password'],"/"))){
	   $errors[] = "password not allowed";
	}else{
	    $login = login($username, $password);    //i check if username and password match
	        if($login === false){
	        $errors [] = "couldn't sign you in with those details";						
	        }else{
                    $id_user = user($username, $password); 			
	            $_SESSION['id'] = $id_user;
	            session_regenerate_id(true);                                 //is this in the right place?		
	            header ("Location: http://localhost/name_site/user_data.php");
	            exit();	
                      }
                }
}else{
    $errors[] = 'enter username and password';
}

are functions preventing session hijacking/fixation attacks in the right place? did I used them properly?

thanks a lot