soma56 Posted July 19, 2010 Share Posted July 19, 2010 A quick question about checking a users user-agent upon session start. I have a simple authentication page that, once the user provides the correct information, allows them to login. At the top of my 'access granted' page I have the following: if($session->logged_in){ if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { exit; } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } Maybe someone here can verify if I have this down correctly. Basically, if the session is 'logged in' or access is granted then the script compares the user-agent against the one being received by the server through an MD5 hash. Is this correct? Although, I'm certain there is a way to 'spoof' user-agents, it just occurred to me that what if no user-agent was set at all? Hmm, is that even possible? Am I on the right track with the above code? Is there anything I should consider in this specific respect? Quote Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/ Share on other sites More sharing options...
Kevin.Arvixe Posted July 19, 2010 Share Posted July 19, 2010 I dont think this will work... Can you echo the value of $_SESSION['HTTP_USER_AGENT'] and $_SERVER['HTTP_USER_AGENT'] for me? Or provide me with the line of code that sets the $_SESSION['HTTP_USER_AGENT']? Quote Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088171 Share on other sites More sharing options...
soma56 Posted July 19, 2010 Author Share Posted July 19, 2010 It looks like the session didn't return any session user-agent. echo $_SESSION['HTTP_USER_AGENT']; echo "<br />"; echo $_SERVER['HTTP_USER_AGENT']; This returned the first line as blank and the second line as my user-agent (presumably from the $_SERVER) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Quote Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088188 Share on other sites More sharing options...
Kevin.Arvixe Posted July 19, 2010 Share Posted July 19, 2010 Ok so do this... Login to your app, then access a page w/ the code you just showed me, that way the $_SESSION variable will be set. Quote Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088205 Share on other sites More sharing options...
soma56 Posted July 19, 2010 Author Share Posted July 19, 2010 Kevin, I think I have it. In the initial login page I placed this right after session_start(); $_SESSION['browser'] = md5($_SERVER['HTTP_USER_AGENT']); From there the session checks to see if the user is logged-in. When a user does log in I have this: if($session->logged_in){ if ($_SESSION['browser'] != md5($_SERVER['HTTP_USER_AGENT'])) { /* Different Browser Found */ exit; } else { //Correct Browser Detected } This essentially compares the browser that was received by the initial login page with the one the person is using after they have logged-in. It seems to be working as I when I did experiments setting: ($_SESSION['browser'] =(EQUAL TO)= md5($_SERVER['HTTP_USER_AGENT'])) I echoed back and saw them both being the same. Did I find a viable solution for comparing a browser before and after login? Quote Link to comment https://forums.phpfreaks.com/topic/208178-secure-your-script-compare-user-agent-to-server-at-session-start/#findComment-1088214 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.