lofaifa Posted March 22, 2012 Share Posted March 22, 2012 which is the best place to put this code : if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } like this : class session { public $user_on=false; public $user_id; function __construct(){ //make sure that javascript can not access session variable ini_set('session.cookie_httponly',true); session_start(); //set the last ip the user has logged on with if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } $this->check_login(); } private function check_login(){ if(isset($_SESSION['user_id'])){ global $user; $this->user_id=$_SESSION['user_id']; $this->user_on=true; $user->find_by_id($this->user_id); } else { unset($this->user_id); $this->user_on=false; } } } OR : function __construct(){ //make sure that javascript can not access session variable ini_set('session.cookie_httponly',true); session_start(); $this->check_login(); } private function check_login(){ if(isset($_SESSION['user_id'])){ global $user; [b]//set the last ip the user has logged on with if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); }[/b] elseif($_SESSION['last_ip']===$_SERVER['REMOTE_ADDR']){ $this->user_id=$_SESSION['user_id']; $this->user_on=true; $user->find_by_id($this->user_id); } } else { unset($this->user_id); $this->user_on=false; } } } Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/ Share on other sites More sharing options...
onlyican Posted March 22, 2012 Share Posted March 22, 2012 Depends what you are trying to achieve Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330196 Share on other sites More sharing options...
lofaifa Posted March 22, 2012 Author Share Posted March 22, 2012 i want to kick anyone whos trying to connect from an account whos already online .. Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330225 Share on other sites More sharing options...
onlyican Posted March 22, 2012 Share Posted March 22, 2012 The code does not make sense to me So basically the session last_ip which you set on the USERS machine is different from what you just set then kick them off This would never fall true unless they changed their IP but on the same machine Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330231 Share on other sites More sharing options...
lofaifa Posted March 22, 2012 Author Share Posted March 22, 2012 - the user is about to login and $_SESSION['last_ip'] is not set yet , soo we gonna set it if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } - the user is browsing the site with the same ip adresse neither of those lines will run //cuz we already set his $_SESSION['last_ip'] when he logged in ($_SESSION['last_ip'])===false)==false ; //cuz hes still in the same computer = same IP ($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR'])==false; - now someone from another computer gonna try to access the same account and now the second part will run if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } cuz $_SESSION value is stored in the server .. ? Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330236 Share on other sites More sharing options...
floridaflatlander Posted March 22, 2012 Share Posted March 22, 2012 If someone uses AOL, which I only know a few people that do, can't their IP change during use? Some people use HTTP_USER_AGENT, someone had a link on here that went to a site explaining it's use as well as encrypting it with md5 instead of using an ip. Hopefully who ever provided the link will chime in it was a good article. My set up is basically if ((!isset($_SESSION['mem_id'])) OR (!isset($_SESSION['user_agent']) OR ($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'])))){ Not a logged in member, redirect } else {do whatever} Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330251 Share on other sites More sharing options...
floridaflatlander Posted March 22, 2012 Share Posted March 22, 2012 ... someone had a link on here that went to a site explaining it's use as well as encrypting it with md5 instead of using an ip. Hopefully who ever provided the link will chime in it was a good article. http://phpsec.org/projects/guide/4.html Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330303 Share on other sites More sharing options...
onlyican Posted March 23, 2012 Share Posted March 23, 2012 Sessions are stored on the users machine not the web server. The best way is to store the users IP in the DB with login datetime Then when a user logs in, store their IP in the DB if user currently logged in, check the current Users IP against the one in the DB TBH: Why do you need single use logins? Is it really any harm is 2 different locations are logged in at the same time. I sometimes log into a website on my mobile 3G connection, then log in on a desktop to see something easier. Also Users IP could change when using a mobile device. Thus constantly logging the user out. Link to comment https://forums.phpfreaks.com/topic/259487-session-hijacking-problem/#findComment-1330491 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.