Guest daleosmond Posted May 11, 2006 Share Posted May 11, 2006 Hey,I am developing an user system class for mysite i have noticed that session can be hijackedIf someone was to ge the php session id so therfor i need to take somethink from an user computerAnd store it into the session and finalyy compair it when it check to see if an user is signed in.I cannot use $_SERVER['REMOTE_ADDR'] this is because AOL user ip changes quite often while surfing.So does anyone know what i could take?thanks in advanced,dale [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /] Quote Link to comment Share on other sites More sharing options...
Adthegreat Posted May 13, 2006 Share Posted May 13, 2006 You could give them a another variable, and store it in their cookies. On my site, when someone logs in they are given a random hash which is stored in their cookies, and my mysql database, and everytime they go to a new page it asks for their current hash and compares from their cookie to the database, if it is different it boots them.This means that if someone were to steal the cookies and hijack the session, the user qould just have to log back in and the cookie id would have changed and the hacker will be booted. Also you need to require the old password when changing it to a new one so that if a session is hijacked, they cant change the password. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.