Session hijacking prevention...how far will my script get me? additional prevention procedures?
Posted
by
Yusaf Khaliq
on Stack Overflow
See other posts from Stack Overflow
or by Yusaf Khaliq
Published on 2012-11-12T22:57:29Z
Indexed on
2012/11/12
22:59 UTC
Read the original article
Hit count: 308
When the user logs in the current session vairables are set
$_SESSION['user']['timeout'] = time();
$_SESSION['user']['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user']['agent'] = $_SERVER['HTTP_USER_AGENT'];
In my common.php page (required on ALL php pages) i have used the below script, which resets a 15 minute timer each time the user is active furhtermore checks the IP address and checks the user_agent, if they do not match that as of when they first logged in/when the session was first set, the session is unset furthermore with inactivity of up to 15 minutes the session is also unset.
... is what i have done a good method for preventing session hijacking furthermore is it secure and or is it enough? If not what more can be done?
if(!empty($_SESSION['user'])){
if ($_SESSION['user']['timeout'] + 15 * 60 < time()) {
unset($_SESSION['user']);
} else {
$_SESSION['user']['timeout'] = time();
if($_SESSION['user']['ip'] != $_SERVER['REMOTE_ADDR']){
unset($_SESSION['user']);
}
if($_SESSION['user']['agent'] != $_SERVER['HTTP_USER_AGENT']){
unset($_SESSION['user']);
}
}
}
© Stack Overflow or respective owner