Jump to content

ebol4

New Members
  • Posts

    3
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

ebol4's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. I guess I could use user agent combined with screen resolution. Screen resolution requires javascript though, so it'll just be a backup in case the useragent suddenly changes. Is there a better way to defend against hijacking?
  2. Then again though, even if I did use my solution, it's still vulnerable to XSS session hijacking. I could check the user-agent, but if the attacker has the same user-agent, it'd still let the session be hijacked. If I checked the IP, people who use proxies that change IP's based on server-load would have to keep logging in.
  3. I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content. To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in? My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.