Reaper0167 Posted July 19, 2009 Share Posted July 19, 2009 I'm looking to only have this page available to see if you are 1 of the 2 SESSIONS that are logged in. <?php error_reporting(E_ALL); ini_set('display_errors',1); session_start(); if (isset($_SESSION['auth'])) //make sure a user is logged in { if( (!$_SESSION['id'] == "admin") or (!$_SESSION['id'] == "timcin") ) // if not 1 of the 2, redirect to homepage { header("Location: http://www.homepage.com"); session_unset(); session_destroy(); exit(); } } ?> Anything else you would do? Quote Link to comment https://forums.phpfreaks.com/topic/166546-any-other-ideas-for-some-page-security/ Share on other sites More sharing options...
ignace Posted July 19, 2009 Share Posted July 19, 2009 Protect yourself from impersonation (session hijacking): if (sha1($_SERVER['HTTP_USER_AGENT']) !== $_SESSION['HTTP_USER_AGENT']) { session_destroy(); //same session, but different browser signature? (impersonating) } Optionally: if (sha1($_SERVER['REMOTE_ADDR']) !== $_SESSION['REMOTE_ADDR']) { session_destroy(); //same session, different ip address? (user performed a ipconfig /release, /renew) } If interested: http://shiflett.org/ - expert on (php) security Quote Link to comment https://forums.phpfreaks.com/topic/166546-any-other-ideas-for-some-page-security/#findComment-878300 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.