Jump to content


$_SERVER information.


  • Please log in to reply
1 reply to this topic

#1 Guest_daleosmond_*

Guest_daleosmond_*
  • Guests

Posted 11 May 2006 - 12:10 PM

Hey,
I am developing an user system class for mysite i have noticed that session can be hijacked
If someone was to ge the php session id so therfor i need to take somethink from an user computer
And store it into the session and finalyy compair it when it check to see if an user is signed in.
I cannot use $_SERVER['REMOTE_ADDR'] this is because AOL user ip changes quite often while surfing.
So does anyone know what i could take?




thanks in advanced,
dale [img src=\"style_emoticons/[#EMO_DIR#]/smile.gif\" style=\"vertical-align:middle\" emoid=\":smile:\" border=\"0\" alt=\"smile.gif\" /]


#2 Adthegreat

Adthegreat
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 13 May 2006 - 12:06 AM

You could give them a another variable, and store it in their cookies.

On my site, when someone logs in they are given a random hash which is stored in their cookies, and my mysql database, and everytime they go to a new page it asks for their current hash and compares from their cookie to the database, if it is different it boots them.

This means that if someone were to steal the cookies and hijack the session, the user qould just have to log back in and the cookie id would have changed and the hacker will be booted. Also you need to require the old password when changing it to a new one so that if a session is hijacked, they cant change the password.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users