Reaper0167 Posted July 19, 2009 Share Posted July 19, 2009 I'm looking to only have this page available to see if you are 1 of the 2 SESSIONS that are logged in. <?php error_reporting(E_ALL); ini_set('display_errors',1); session_start(); if (isset($_SESSION['auth'])) //make sure a user is logged in { if( (!$_SESSION['id'] == "admin") or (!$_SESSION['id'] == "timcin") ) // if not 1 of the 2, redirect to homepage { header("Location: http://www.homepage.com"); session_unset(); session_destroy(); exit(); } } ?> Anything else you would do? Link to comment https://forums.phpfreaks.com/topic/166546-any-other-ideas-for-some-page-security/ Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 Protect yourself from impersonation (session hijacking): if (sha1($_SERVER['HTTP_USER_AGENT']) !== $_SESSION['HTTP_USER_AGENT']) { session_destroy(); //same session, but different browser signature? (impersonating) } Optionally: if (sha1($_SERVER['REMOTE_ADDR']) !== $_SESSION['REMOTE_ADDR']) { session_destroy(); //same session, different ip address? (user performed a ipconfig /release, /renew) } If interested: http://shiflett.org/ - expert on (php) security Link to comment https://forums.phpfreaks.com/topic/166546-any-other-ideas-for-some-page-security/#findComment-878300 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.