soma56 Posted July 19, 2010 Share Posted July 19, 2010 A quick question about checking a users user-agent upon session start. I have a simple authentication page that, once the user provides the correct information, allows them to login. At the top of my 'access granted' page I have the following: if($session->logged_in){ if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit; } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } Maybe someone here can verify if I have this down correctly. Basically, if the session is 'logged in' or access is granted then the script compares the user-agent against the one being received by the server through an MD5 hash. Is this correct? Although, I'm certain there is a way to 'spoof' user-agents, it just occurred to me that what if no user-agent was set at all? Hmm, is that even possible? Am I on the right track with the above code? Is there anything I should consider in this specific respect? Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/ Share on other sites More sharing options...
Kevin.Arvixe Posted July 19, 2010 Share Posted July 19, 2010 I dont think this will work... Can you echo the value of $_SESSION['HTTP_USER_AGENT'] and $_SERVER['HTTP_USER_AGENT'] for me? Or provide me with the line of code that sets the $_SESSION['HTTP_USER_AGENT']? Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088171 Share on other sites More sharing options...
soma56 Posted July 19, 2010 Author Share Posted July 19, 2010 It looks like the session didn't return any session user-agent. echo $_SESSION['HTTP_USER_AGENT']; echo "<br />"; echo $_SERVER['HTTP_USER_AGENT']; This returned the first line as blank and the second line as my user-agent (presumably from the $_SERVER) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088188 Share on other sites More sharing options...
Kevin.Arvixe Posted July 19, 2010 Share Posted July 19, 2010 Ok so do this... Login to your app, then access a page w/ the code you just showed me, that way the $_SESSION variable will be set. Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088205 Share on other sites More sharing options...
soma56 Posted July 19, 2010 Author Share Posted July 19, 2010 Kevin, I think I have it. In the initial login page I placed this right after session_start(); $_SESSION['browser'] = md5($_SERVER['HTTP_USER_AGENT']); From there the session checks to see if the user is logged-in. When a user does log in I have this: if($session->logged_in){ if ($_SESSION['browser'] != md5($_SERVER['HTTP_USER_AGENT'])) { /* Different Browser Found */ exit; } else { //Correct Browser Detected } This essentially compares the browser that was received by the initial login page with the one the person is using after they have logged-in. It seems to be working as I when I did experiments setting: ($_SESSION['browser'] =(EQUAL TO)= md5($_SERVER['HTTP_USER_AGENT'])) I echoed back and saw them both being the same. Did I find a viable solution for comparing a browser before and after login? Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088214 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.