Ah, thanks a lot. I will add my 2 cents in there then :)
Regards, Duncan Justin French wrote:
Hi,
There's actually another thread on this topic at the moment... quick
summary:
1. you can't rely on the IP address
2. you can't rely on the referrer
It's been suggested on the list that you could record the user agent into
the session, and check against that -- keeping in mind that the user agent
may be null, and that this would not prevent someone with an identical
useragent from hijacking the session... it's more like an added layer of
protection :)
Check out the recent thread "prevent session_replay"
Justin
on 03/01/03 11:36 AM, Duncan ([EMAIL PROTECTED]) wrote:
Hi,
i am currently working with sessions and how to secure them as much as
possible.
In an older script of mine, i used session_is_registered() to take care
of this, but according to the manual: "If you are using $_SESSION (or
$HTTP_SESSION_VARS), do not use session_register(), ..." - i can't use
this anymore.
Well, so i wondered: how do you or would you make sure that s.o. won't
be able to hijack the session?
Also any recommended URLs about this matter are more than welcome as well :)
I am currently only checking the IP, but i read about issues with AOL
users about this, since it can happen that their IP changes while
browsing the site.
S.o. mentioned checking the referer and so making sure, the script comes
from the own server, but when using redirects or stuff like that (or the
browser doesn't support this properly - as read in the php manual), then
this isn't 100% working as well.
So, start nuking me with your comments ;)
Regards,
Duncan
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
