Fingerprint and sessions?
Posted: Fri Sep 03, 2010 2:54 pm
Hi,
I've read carefuly this page http://phpsec.org/projects/guide/4.html explaining methods to protect against sessions hijacking, and I have one question to which I can't solve any solution myself...
Tell me if I'm wrong, but sessions are completely and only stored on the server side. The user is only given a session identifier.
So if that is right, what is the point in adding salt to the $_SESSION['HTTP_USER_AGENT'] (they present it at the bottom, they add sthg like 'SHIFLETT').
The client is not going to store this data anyway so I see no additional challenge for authentication here. Am I wrong?
Thx by advance,
J
I've read carefuly this page http://phpsec.org/projects/guide/4.html explaining methods to protect against sessions hijacking, and I have one question to which I can't solve any solution myself...
Tell me if I'm wrong, but sessions are completely and only stored on the server side. The user is only given a session identifier.
So if that is right, what is the point in adding salt to the $_SESSION['HTTP_USER_AGENT'] (they present it at the bottom, they add sthg like 'SHIFLETT').
The client is not going to store this data anyway so I see no additional challenge for authentication here. Am I wrong?
Thx by advance,
J