Jump to content

session hijacking problem


lofaifa

Recommended Posts

which is the best place to put this code :

 

if(isset($_SESSION['last_ip'])===false){
		$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
	}
	if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
		session_unset();
		session_destroy();
	}

 

like this :

 

class session {
public $user_on=false;
public $user_id;

function __construct(){
	//make sure that javascript can not access session variable
	ini_set('session.cookie_httponly',true);
	session_start();
	//set the last ip the user has logged on with
	if(isset($_SESSION['last_ip'])===false){
		$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
	}
	if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
		session_unset();
		session_destroy();
	}
	$this->check_login();
}

private function check_login(){
	if(isset($_SESSION['user_id'])){
		global $user;
		$this->user_id=$_SESSION['user_id'];
		$this->user_on=true;
		$user->find_by_id($this->user_id);
	} else {
		unset($this->user_id);
		$this->user_on=false;
	}
}
}

 

OR :

function __construct(){
	//make sure that javascript can not access session variable
	ini_set('session.cookie_httponly',true);
	session_start();
	$this->check_login();
}

private function check_login(){
	if(isset($_SESSION['user_id'])){
		global $user;
                        [b]//set the last ip the user has logged on with
	if(isset($_SESSION['last_ip'])===false){
		$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
	}
	if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
		session_unset();
		session_destroy();
	}[/b]
                elseif($_SESSION['last_ip']===$_SERVER['REMOTE_ADDR']){
		$this->user_id=$_SESSION['user_id'];
		$this->user_on=true;
		$user->find_by_id($this->user_id);
                 }
	} else {
		unset($this->user_id);
		$this->user_on=false;
	}
}
}

 

Link to comment
Share on other sites

The code does not make sense to me

 

So basically the session last_ip which you set on the USERS machine is different from what you just set then kick them off

This would never fall true unless they changed their IP but on the same machine

Link to comment
Share on other sites

- the user is about to login and $_SESSION['last_ip'] is not set yet , soo we gonna set it

 

if(isset($_SESSION['last_ip'])===false){
		$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
	} 

- the user is browsing the site with the same ip adresse neither of those lines will run

 

//cuz we already set his $_SESSION['last_ip'] when he logged in
($_SESSION['last_ip'])===false)==false ;
//cuz hes still in the same computer = same IP 
($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR'])==false;

 

- now someone from another computer gonna try to access the same account and now the second part will run

 

if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
		session_unset();
		session_destroy();
	}

 

cuz $_SESSION value is stored in the server .. ?

 

 

Link to comment
Share on other sites

If someone uses AOL, which I only know a few people that do, can't their IP change during use?

 

Some people use HTTP_USER_AGENT, someone had a link on here that went to a site explaining it's use as well as encrypting it with md5 instead of using an ip. Hopefully who ever provided the link will chime in it was a good article.

 

My set up is basically

if ((!isset($_SESSION['mem_id'])) OR (!isset($_SESSION['user_agent']) OR ($_SESSION['user_agent'] != md5($_SERVER['HTTP_USER_AGENT'])))){
	Not a logged in member, redirect
} else {do whatever}

Link to comment
Share on other sites

Sessions are stored on the users machine not the web server.

 

The best way is to store the users IP in the DB with login datetime

 

Then when a user logs in, store their IP in the DB

if user currently logged in, check the current Users IP against the one in the DB

 

TBH: Why do you need single use logins?

 

Is it really any harm is 2 different locations are logged in at the same time.

 

I sometimes log into a website on my mobile 3G connection, then log in on a desktop to see something easier.

 

Also

Users IP could change when using a mobile device.

Thus constantly logging the user out.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.