Jump to content

Archived

This topic is now archived and is closed to further replies.

Guest daleosmond

$_SERVER information.

Recommended Posts

Guest daleosmond
Hey,
I am developing an user system class for mysite i have noticed that session can be hijacked
If someone was to ge the php session id so therfor i need to take somethink from an user computer
And store it into the session and finalyy compair it when it check to see if an user is signed in.
I cannot use $_SERVER['REMOTE_ADDR'] this is because AOL user ip changes quite often while surfing.
So does anyone know what i could take?




thanks in advanced,
dale [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /]

Share this post


Link to post
Share on other sites
You could give them a another variable, and store it in their cookies.

On my site, when someone logs in they are given a random hash which is stored in their cookies, and my mysql database, and everytime they go to a new page it asks for their current hash and compares from their cookie to the database, if it is different it boots them.

This means that if someone were to steal the cookies and hijack the session, the user qould just have to log back in and the cookie id would have changed and the hacker will be booted. Also you need to require the old password when changing it to a new one so that if a session is hijacked, they cant change the password.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.