PHP-Session Security

Because a session may contain sensitive information,
 you need to treat the session as a possible security
 hole. Session security is necessary to create and
implement a session. If someone is listening in or
snooping on a network, it's possible that he can
intercept a session ID and use it to look like he
is someone else. It's also possible to access session
 data from the local filesystem on multiuser systems
 such as ISP hosting machines.

Session hijacking is when someone accesses either
 a client's cookie or session ID, and then attempts
to use this data. Session fixation is attempting to set
 your own session ID. Session fixation and hijacking
 are easy to combat. We'll make use of the super global
 variables for the client's IP address and browser
 type to keep things secure.


  <?php

session_start();
$user_check = md5($_SERVER['HTTP_USER_AGENT'] .
 $_SERVER['REMOTE_ADDR']);
if (empty($_SESSION['user_data'])) {
session_regenerate_id();
echo ("New session, saving user_check.");
$_SESSION['user_data'] = $user_check;
}
if (strcmp($_SESSION['user_data'], $user_check) !== 0) {
session_regenerate_id();
echo ("Warning, you must reenter your session.");
$_SESSION = array();
$_SESSION['user_data'] = $user_check;
}
else {
echo ("Connection verified!");
}

?>

When a browser first requests the page,a session is
 started. In that session, we stored the encoded
combination of the IP address and browser type.
That way, when the user returns to this page, we
can compare the value stored in the session versus
 a fresh computation of the IP address and browser
 type. If the two don't match, we potentially
have a hijacker, so we pick a new ID and clear
any saved data for that session. That way, the
hijacker cannot retrieve any of the private
 information stored in the session. This doesn't
cause a problem for legitimate users, because
they aren't going to change browser or IP
 addresses in the middle of a session with
your web site.


You know that trusting data from a user isn't a
 great idea. But what exactly do you consider
to be user data versus system data that you trust?



GET
Data from GET operations is inherently user
 data since it usually comes from form submissions.



POST
Data from POST operations is inherently
data since it usually comes from form submissions.



Cookies
Cookies may seem like they could be trusted
since they are automatically sent, but in reality,
 since they are stored on the client's computer,
they could be intentionally altered. Therefore,
 they're considered user data.



Session data
Session data can be trusted as long as the session
 value is set based on validated data. If it's set
 to a user-supplied value without validation,
 it's not trustworthy.

User input should be checked and escaped properly.
 Data that's bound for the database must have all
special characters such as single and double
 quotes escaped.