Menu
Community /Pin to ProfileBookmark
@NogDogSep 29.2013 — #One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).
It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.
For more details and other ideas, I recommend[url=http://phpsecurity.org/]Essential PHP Security[/url] .@NogDogSep 29.2013 — #
Yes, in theory they [i]could[/i], but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?
That won't matter for what I'm suggesting, though it would mean that if, say, a co-worker stole your session cookie, then that technique would not help.@NogDogSep 30.2013 — #Some useful info here: http://stackoverflow.com/questions/12233406/preventing-session-hijacking#12234563
(Would seem to agree that the best way is to make the session ID as unknowable as possible (high entropy on the ID, must use HTTPS, note the PHP session settings) and not try to detect changes via IP, user agent header, etc.)
How to prevent session hijacking and session fixation
i dont know How to prevent session hijacking and session fixation. i read a book on PHP (cookbook). But i could not grab the concept. so what’s the procedure. pls help
Thanks.
Sign in
to post a comment6 Comments(s) ↴
0
@NogDogSep 29.2013 — #One thing you can do is track the user's IP address in the session data, and any time it does not match the current request's IP, make the user log in again. This is not a cure-all, but can help in some cases, in particular someone sniffing the cookies on a non-https connection (another good reason to use https?).It's also a good idea to make the user log in any time they hit a particularly sensitive page and their last log-in was more than some arbitrary time in the past.
For more details and other ideas, I recommend
0
@NogDogSep 29.2013 — #I would not suggest using the IP for tracking purposes, because a single user can use a different IP address for each request (the request might come from a different proxy).[/quote]
Yes, in theory they [i]could[/i], but I suspect the number of people who use a different proxy for each page request from the same site during the same browsing session are very, very small?
Also, multiple users might use the same IP address (many computer labs use an HTTP proxy).[/QUOTE]
That won't matter for what I'm suggesting, though it would mean that if, say, a co-worker stole your session cookie, then that technique would not help.
0
@NogDogSep 30.2013 — #Some useful info here: (Would seem to agree that the best way is to make the session ID as unknowable as possible (high entropy on the ID, must use HTTPS, note the PHP session settings) and not try to detect changes via IP, user agent header, etc.)