redarrow Posted January 2, 2009 Share Posted January 2, 2009 whay are you checking browser config. if your worried about sessions use them in a database. $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; if($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) Quote Link to comment Share on other sites More sharing options...
9three Posted January 2, 2009 Share Posted January 2, 2009 For some reason its not allowing my to modify my existing post so I had to create a 2nd part to my post. 1. session_start(); // Starts a session 2. session_regenerate_id(); // Regenerates a new sessions ID when going from page to page, this helps avoid session fixation 3. $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; // $_SESSION['user_agent'] is used throughout my entire script. 4. The if statement checks to make sure that HTTP_USER_AGENT matches throughout the entire site. If it doesn't it runs the block code. You have to create $_SESSION as an array to truly destroy a session. Then unset, and finally destroy it. I added an extra part to redirect to the index.php. Quote Link to comment Share on other sites More sharing options...
9three Posted January 2, 2009 Share Posted January 2, 2009 whay are you checking browser config. if your worried about sessions use them in a database. $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; if($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) If you check browser configs you can be certain that it is the same user on every secure page. You *can* set a session in a database but you would still have to create some kind of check for credentials to make sure session hijacking hasn't taken place. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.