Session hijack protection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
samb0057
Forum Commoner
Posts: 27
Joined: Wed Mar 26, 2008 9:51 am

Session hijack protection

Post by samb0057 »

Code: Select all

 
/**
 * Start session
**/
 
session_start();
 
/**
 * Check fingerprint
**/
 
$fingerprint = hash('sha512', $_SERVER['REMOTE_ADDR'], true);
if (isset($_SESSION['fingerprint'])) {
    if ($fingerprint !== $_SESSION['fingerprint']) 
        throw new exception('Session hijack attempted.');
    }
}
else {
    $_SESSION['fingerprint'] = $fingerprint;
}
Last edited by onion2k on Fri Apr 18, 2008 3:10 pm, edited 1 time in total.
Reason: Use code tags [code=php][/code] around your code please.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: Session hijack protection

Post by Oren »

You didn't ask anything... what's the point of this post?
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Session hijack protection

Post by onion2k »

That won't stop people behind the same router hijacking each others sessions.
samb0057
Forum Commoner
Posts: 27
Joined: Wed Mar 26, 2008 9:51 am

Re: Session hijack protection

Post by samb0057 »

Oren wrote:You didn't ask anything... what's the point of this post?
Oh yeah. I dont know i just wanted to give this to anyone who needed it. I guess i should have put it in code snippets or something.
Post Reply