Hi,
I've read carefuly this page http://phpsec.org/projects/guide/4.html explaining methods to protect against sessions hijacking, and I have one question to which I can't solve any solution myself...
Tell me if I'm wrong, but sessions are completely and only stored on the server side. The user is only given a session identifier.
So if that is right, what is the point in adding salt to the $_SESSION['HTTP_USER_AGENT'] (they present it at the bottom, they add sthg like 'SHIFLETT').
The client is not going to store this data anyway so I see no additional challenge for authentication here. Am I wrong?
Thx by advance,
J
Fingerprint and sessions?
Moderator: General Moderators
Re: Fingerprint and sessions?
perhaps you should go read the article again; the author clearly states that he assumes that the session has been compromised and he's adding an md5 checksum of the browser identification string to check it against the user's browser for further security. it can't hurt, but you better prevent your sessions from being hijacked in the first place.
other than that, read here why salting is a good idea:
http://www.thelampblog.com/2010/07/31/p ... s-hashing/
other than that, read here why salting is a good idea:
http://www.thelampblog.com/2010/07/31/p ... s-hashing/