Jump to content

How to prevent session spoofing and session hijacking?


ebol4

Recommended Posts

I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content.

 

To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in?

 

My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive.

Link to comment
Share on other sites

Then again though, even if I did use my solution, it's still vulnerable to XSS session hijacking. I could check the user-agent, but if the attacker has the same user-agent, it'd still let the session be hijacked. If I checked the IP, people who use proxies that change IP's based on server-load would have to keep logging in.

Link to comment
Share on other sites

I guess I could use user agent combined with screen resolution. Screen resolution requires javascript though, so it'll just be a backup in case the useragent suddenly changes. Is there a better way to defend against hijacking?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.