Jump to content

any other ideas for some page security


Reaper0167

Recommended Posts

I'm looking to only have this page available to see if you are 1 of the 2 SESSIONS that are logged in.

<?php
error_reporting(E_ALL);
ini_set('display_errors',1);
session_start();
if (isset($_SESSION['auth'])) //make sure a user is logged in
{
   if( (!$_SESSION['id'] == "admin") or (!$_SESSION['id'] == "timcin") )  // if not 1 of the 2, redirect to homepage
   { 
       header("Location: http://www.homepage.com");
       session_unset(); 
       session_destroy();
       exit();
   }
}
?>

 

Anything else you would do?

Link to comment
https://forums.phpfreaks.com/topic/166546-any-other-ideas-for-some-page-security/
Share on other sites

Protect yourself from impersonation (session hijacking):

if (sha1($_SERVER['HTTP_USER_AGENT']) !== $_SESSION['HTTP_USER_AGENT']) {
    session_destroy();
    //same session, but different browser signature? (impersonating)
}

 

Optionally:

if (sha1($_SERVER['REMOTE_ADDR']) !== $_SESSION['REMOTE_ADDR']) {
    session_destroy();
    //same session, different ip address? (user performed a ipconfig /release, /renew)
}

 

If interested: http://shiflett.org/ - expert on (php) security

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.