PHP Verify user agent and IP addresses to prevent session hijacking

Question

PHP Verify user agent and IP addresses to prevent session hijacking

I am trying to figure out how to prevent session hijacking. Here is what I was thinking of doing:

Along with the user ID session, add a user session and a user session. Each time the page loads, these sessions will be checked to see if they match - will that be enough? For instance:

<?php

$userIp = $_SESSION['userIp'];
$userAgent = $_SESSION['userAgent'];

if ($userIp != $_SERVER['REMOTE_ADDR'] || $userAgent != $_SERVER['HTTP_USER_AGENT'] {
    session_destroy();
}

?>

Thank.

+5

security php session session-hijacking

user870283 May 29 '12 at 18:00

source share

2 answers

z42

, , , , , db, .

+1

user1263800 29 '12 18:17

ziad-saab · Accepted Answer · 2012-05-29T18:04:37+0000

This is much more complicated. Various people with different settings will be available to your site / service. The first thing that can go wrong if someone goes through a proxy server. The IP address that your application will see may change, and the session will be interrupted even for a valid user.

- IP-, - /. , . .

: - PHPSESSIONID, User Agent. .

- - HTTPS , cookie - HTTPS.

EDIT. , , , , , , . GMail, .

PHP Verify user agent and IP addresses to prevent session hijacking

More articles: