Jump to content

[SOLVED] User-Agent header

orange08

By orange08
in PHP Coding Help

Recommended Posts

orange08 Regular Member

orange08

Posted
Posted

i would like to know whether User-Agent header or $_SERVER['HTTP_USER_AGENT'] is consistent enough?

 

based on the following argument

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

Some experts claim that the User-Agent header is not consistent enough to be used in the way described. The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster.

Link to comment
https://forums.phpfreaks.com/topic/176937-solved-user-agent-header/
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

The User-Agent header is basically the browsers info (send from client) but can be changed,

Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required..

 

as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session

orange08 Regular Member

orange08

Posted
  • Author
Posted

The User-Agent header is basically the browsers info (send from client) but can be changed,

Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required..

 

as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session

 

actually, i'm not understand with:

The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster.

 

it meant HTTP_USER_AGENT will changed due to human's action or automatically? i just worry if using this, then the changed of HTTP_USER_AGENT will cause my valid user being affected...

MadTechie Regular Member

MadTechie

Posted
Posted

It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry)

orange08 Regular Member

orange08

Posted
  • Author
Posted

It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry)

 

ok, thanks for the explain!

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.