Hi, There's actually another thread on this topic at the moment... quick summary:
1. you can't rely on the IP address 2. you can't rely on the referrer It's been suggested on the list that you could record the user agent into the session, and check against that -- keeping in mind that the user agent may be null, and that this would not prevent someone with an identical useragent from hijacking the session... it's more like an added layer of protection :) Check out the recent thread "prevent session_replay" Justin on 03/01/03 11:36 AM, Duncan ([EMAIL PROTECTED]) wrote: > Hi, > > i am currently working with sessions and how to secure them as much as > possible. > In an older script of mine, i used session_is_registered() to take care > of this, but according to the manual: "If you are using $_SESSION (or > $HTTP_SESSION_VARS), do not use session_register(), ..." - i can't use > this anymore. > Well, so i wondered: how do you or would you make sure that s.o. won't > be able to hijack the session? > Also any recommended URLs about this matter are more than welcome as well :) > > I am currently only checking the IP, but i read about issues with AOL > users about this, since it can happen that their IP changes while > browsing the site. > S.o. mentioned checking the referer and so making sure, the script comes > from the own server, but when using redirects or stuff like that (or the > browser doesn't support this properly - as read in the php manual), then > this isn't 100% working as well. > > So, start nuking me with your comments ;) > > Regards, > Duncan > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
