someguy321 Posted September 15, 2010 Share Posted September 15, 2010 I see all over the web that I should tie a session cookie to an ip to help stop some XSS session stealing, but I can't find HOW to do this anywhere. Can someone post some example code? Thanks! Link to comment https://forums.phpfreaks.com/topic/213503-how-tie-cookie-to-an-ip-address/ Share on other sites More sharing options...
Andy-H Posted September 15, 2010 Share Posted September 15, 2010 Never heard of it but I guess it would work this way: $addr = str_replace(".", "", $_SERVER['REMOTE_ADDR']); //set cookie if ( !isset($_COOKIE[$addr."-cookiename"]) ) { setcookie($addr . "-cookiename", "cookieval", time() + 56400, "", "", "", true); } //get cookie if ( isset($_COOKIE[$addr . "-cookiename"]) ) { $val = $_COOKIE[$addr . "-cookiename"]; } Link to comment https://forums.phpfreaks.com/topic/213503-how-tie-cookie-to-an-ip-address/#findComment-1111446 Share on other sites More sharing options...
johnsmith153 Posted September 15, 2010 Share Posted September 15, 2010 Tie this in with the login script. When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something). On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should. If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off. I always make admin areas use SSL for every page anyway so this wouldn't be needed for them. Link to comment https://forums.phpfreaks.com/topic/213503-how-tie-cookie-to-an-ip-address/#findComment-1111449 Share on other sites More sharing options...
someguy321 Posted September 15, 2010 Author Share Posted September 15, 2010 Tie this in with the login script. When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something). On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should. If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off. I always make admin areas use SSL for every page anyway so this wouldn't be needed for them. Thanks! Can you explain a bit more about how SSL makes it so they're protected from that same session hijacking? Link to comment https://forums.phpfreaks.com/topic/213503-how-tie-cookie-to-an-ip-address/#findComment-1111457 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.