Page 1 of 1

Session hijack protection

Posted: Fri Apr 18, 2008 3:02 pm
by samb0057

Code: Select all

 
/**
 * Start session
**/
 
session_start();
 
/**
 * Check fingerprint
**/
 
$fingerprint = hash('sha512', $_SERVER['REMOTE_ADDR'], true);
if (isset($_SESSION['fingerprint'])) {
    if ($fingerprint !== $_SESSION['fingerprint']) 
        throw new exception('Session hijack attempted.');
    }
}
else {
    $_SESSION['fingerprint'] = $fingerprint;
}

Re: Session hijack protection

Posted: Fri Apr 18, 2008 3:07 pm
by Oren
You didn't ask anything... what's the point of this post?

Re: Session hijack protection

Posted: Fri Apr 18, 2008 3:09 pm
by onion2k
That won't stop people behind the same router hijacking each others sessions.

Re: Session hijack protection

Posted: Fri Apr 18, 2008 3:16 pm
by samb0057
Oren wrote:You didn't ask anything... what's the point of this post?
Oh yeah. I dont know i just wanted to give this to anyone who needed it. I guess i should have put it in code snippets or something.