Yeodan Posted May 2, 2009 Share Posted May 2, 2009 I'm making an MMORPG browser game. Players need to log in, I use sessions for that. For now I just use the player number, but I'm planning on using the encrypted password, ip adress and session number too. Should I check this information on every page? If not, when / where should I? Also is it smart, if it's even possible, to change the session id on every page? If not, when / where should I? Link to comment https://forums.phpfreaks.com/topic/156549-session-security-question/ Share on other sites More sharing options...
cringe Posted May 2, 2009 Share Posted May 2, 2009 You really only need to regenerate the session ID when a change in authority occurs, such as when the user signs on. And regenerate it every "x" requests from the client via a counter in the $_SESSION. And include a unique token in every response sent back, via output_add_rewrite_var(). If the next request does not include that token in $GET (URL) or $POST (form) or it's not in the $_SESSION, politely make the user sign in again. And you can have that token "time-out" via another value in the $_SESSION. Set it to time() + 60*10 (10 minutes or whatever) in the $_SESSION when the next response is generated. The next request must be received back with a valid token before time() is greater than that $_SESSION value, or again, ask the use to sign in again or take some other appropriate action. Link to comment https://forums.phpfreaks.com/topic/156549-session-security-question/#findComment-824327 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.