Session fingerprint

[9three]

I've seen a lot code around using a session and assigning a 'fingerprint' to it. This fingerprint usually contains a string (Some store the user agent or some type of info) wrapped with an md5 (sometimes salted) around it.

 

Does anyone find using a fingerprint a need or make them feel more secure? I guess if you md5 a user agent and store it in a database it might come to some use in the sense that if someone was able to hack your database, then that fingerprint would still be secured.

 

I would like your input into this. Open for discussion 

[br0ken]

Fingerprinting is a good idea however I have yet to find a suitable variable to be fingerprinted.

 

For example, you could hash the users IP address but if they are on a shared or dynamic IP, this wont work. You could also hash the browser type but again, this can be faked or can change.

 

If there are any good variables to use someone please shout up as I'm always looking to improve the security of my login scripts.

[waynew]

Fingerprinting is a good idea however I have yet to find a suitable variable to be fingerprinted.

 

For example, you could hash the users IP address but if they are on a shared or dynamic IP, this wont work. You could also hash the browser type but again, this can be faked or can change.

 

If there are any good variables to use someone please shout up as I'm always looking to improve the security of my login scripts.

 

Usually I create a fingerprint using a selected string of my own (like a salt) and the browser type.

[9three]

Anyone else ?