Php Session Security-Internet Security

Because a session may contain sensitive information, you need to treat
 the session as a possible security hole. Session security is necessary to
 create and implement a session. If someone is listening in or snooping
 on a network, it's possible that he can intercept a session ID and use
 it to look like he is someone else. It's also possible to access session
 data from the local filesystem on multiuser systems such as ISP hosting machines.

Session hijacking is when someone accesses either a client's cookie
 or session ID, and then attempts to use this data. Session fixation
 is attempting to set your own session ID. Session fixation and
hijacking are easy to combat. We'll make use of the super global
variables for the client's IP address and browser type to keep things secure.

$user_check = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
if (empty($_SESSION['user_data'])) {
echo ("New session, saving user_check.");
$_SESSION['user_data'] = $user_check;
if (strcmp($_SESSION['user_data'], $user_check) !== 0) {
echo ("Warning, you must reenter your session.");
$_SESSION = array();
$_SESSION['user_data'] = $user_check;
else {
echo ("Connection verified!");

we stored the encoded combination of the IP address and
browser type. That way, when the user returns to this page,
we can compare the value stored in the session versus a fresh
 computation of the IP address and browser type. If the two
 don't match, we potentially have a hijacker, so we pick a new
 ID and clear out any saved data for that session. That way,
 the hijacker cannot retrieve any of the private information
stored in the session. This doesn't cause a problem for
legitimate users, because they aren't going to change browser
 or IP addresses in the middle of a session with your web site.