orange08 Posted October 8, 2009 Share Posted October 8, 2009 i would like to know whether User-Agent header or $_SERVER['HTTP_USER_AGENT'] is consistent enough? based on the following argument <?php session_start(); if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { /* Prompt for password */ exit; } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } ?> Some experts claim that the User-Agent header is not consistent enough to be used in the way described. The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 8, 2009 Share Posted October 8, 2009 The User-Agent header is basically the browsers info (send from client) but can be changed, Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required.. as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session Quote Link to comment Share on other sites More sharing options...
orange08 Posted October 8, 2009 Author Share Posted October 8, 2009 The User-Agent header is basically the browsers info (send from client) but can be changed, Personally I would use HTTP_USER_AGENT as an extra check along with the clients IP, while its true proxies can alter this info, it should remain the same for the duration of the connection, a new connection could to thought another proxy and even if that had the same external IP but changed the User agent then its consider a new connection thus a re-login is required.. as a side note.. i don't see the need to MD5 the HTTP_USER_AGENT if your only keeping it in a session actually, i'm not understand with: The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster. it meant HTTP_USER_AGENT will changed due to human's action or automatically? i just worry if using this, then the changed of HTTP_USER_AGENT will cause my valid user being affected... Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 8, 2009 Share Posted October 8, 2009 It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry) Quote Link to comment Share on other sites More sharing options...
orange08 Posted October 8, 2009 Author Share Posted October 8, 2009 It means some business have X proxies internally and (hence the IP is also the same) but each proxy may handle the USER_AGENT transaction differently, however unless they are set-up badly this shouldn't cause a problem as the it should only switch proxies when either the domain changes(no effect on you then), connection is closed(again no effect), a proxy is overloaded or fails(this is too close to how a session hi-jack would work so i wouldn't worry) ok, thanks for the explain! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.