Jump to content

Recommended Posts

i would like to know whether User-Agent header or $_SERVER['HTTP_USER_AGENT'] is consistent enough?

 

based on the following argument

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

Some experts claim that the User-Agent header is not consistent enough to be used in the way described. The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster.

Link to comment
https://forums.phpfreaks.com/topic/176937-solved-user-agent-header/
Share on other sites

The User-Agent header is basically the browsers info (send from client) but can be changed,

Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required..

 

as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session

The User-Agent header is basically the browsers info (send from client) but can be changed,

Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required..

 

as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session

 

actually, i'm not understand with:

The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster.

 

it meant HTTP_USER_AGENT will changed due to human's action or automatically? i just worry if using this, then the changed of HTTP_USER_AGENT will cause my valid user being affected...

It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry)

It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry)

 

ok, thanks for the explain!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.