Scott, I think it is safe to say that there is no "official" way to prevent session hijacking like this, nor is there any way to provide absolute assurance that it cannot be done. There are several methods, however, that can make a hijack much more difficult to accomplish without adversely affecting your legitimate users.
To get you going (since you are the best person to decide what extra measures to take), consider that you could store the user agent in a session variable. If you check that variable on each page (many people include a common module such as security.inc or session.inc at the top of each script or use a parent script), it will at least prevent your test of using a different browser. Of course, an attacker can still hijack the session by passing the same user agent (either by using the same browser or manually sending the HTTP erquest), but the difficulty is a bit more. Your method of testing is actually a good one. The IP address is a terrible metric for identification, so using the same IP will prevent you from trying to use that to distinguish good guy from bad guy. Just use your creativity, and you will probably be fine. The goal is to make things hard for the bad guys and easy for the good guys. Good luck. Chris --- "scott" <[EMAIL PROTECTED]> wrote: > as the SID is being passed in the url, I am able to > copy the http://url?SID from the browser window if I > close the browser (which from reading the docs on > sessions should end the session) and then re-open > another browser (admittedly on the same machine/ip > address) and post the http://url?SID back in, I get > the page, and the $SESSION[vars] are still there !! > :o( is there a official/approved method to prevent > this from being done ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
