Because a session may contain sensitive information, you need to treat
the session as a possible security hole. Session security is necessary to
create and implement a session. If someone is listening in or snooping
on a network, it's possible that he can intercept a session ID and use
it to look like he is someone else. It's also possible to access session
data from the local filesystem on multiuser systems such as ISP hosting machines.
Session hijacking is when someone accesses either a client's cookie
or session ID, and then attempts to use this data. Session fixation
is attempting to set your own session ID. Session fixation and
hijacking are easy to combat. We'll make use of the super global
variables for the client's IP address and browser type to keep things secure.
<?php
session_start();
$user_check = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
if (empty($_SESSION['user_data'])) {
session_regenerate_id();
echo ("New session, saving user_check.");
$_SESSION['user_data'] = $user_check;
}
if (strcmp($_SESSION['user_data'], $user_check) !== 0) {
session_regenerate_id();
echo ("Warning, you must reenter your session.");
$_SESSION = array();
$_SESSION['user_data'] = $user_check;
}
else {
echo ("Connection verified!");
}
?>
we stored the encoded combination of the IP address and
browser type. That way, when the user returns to this page,
we can compare the value stored in the session versus a fresh
computation of the IP address and browser type. If the two
don't match, we potentially have a hijacker, so we pick a new
ID and clear out any saved data for that session. That way,
the hijacker cannot retrieve any of the private information
stored in the session. This doesn't cause a problem for
legitimate users, because they aren't going to change browser
or IP addresses in the middle of a session with your web site.
the session as a possible security hole. Session security is necessary to
create and implement a session. If someone is listening in or snooping
on a network, it's possible that he can intercept a session ID and use
it to look like he is someone else. It's also possible to access session
data from the local filesystem on multiuser systems such as ISP hosting machines.
Session hijacking is when someone accesses either a client's cookie
or session ID, and then attempts to use this data. Session fixation
is attempting to set your own session ID. Session fixation and
hijacking are easy to combat. We'll make use of the super global
variables for the client's IP address and browser type to keep things secure.
<?php
session_start();
$user_check = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
if (empty($_SESSION['user_data'])) {
session_regenerate_id();
echo ("New session, saving user_check.");
$_SESSION['user_data'] = $user_check;
}
if (strcmp($_SESSION['user_data'], $user_check) !== 0) {
session_regenerate_id();
echo ("Warning, you must reenter your session.");
$_SESSION = array();
$_SESSION['user_data'] = $user_check;
}
else {
echo ("Connection verified!");
}
?>
we stored the encoded combination of the IP address and
browser type. That way, when the user returns to this page,
we can compare the value stored in the session versus a fresh
computation of the IP address and browser type. If the two
don't match, we potentially have a hijacker, so we pick a new
ID and clear out any saved data for that session. That way,
the hijacker cannot retrieve any of the private information
stored in the session. This doesn't cause a problem for
legitimate users, because they aren't going to change browser
or IP addresses in the middle of a session with your web site.