Fingerprint and sessions?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Terminux
Forum Newbie
Posts: 4
Joined: Sat Aug 14, 2010 2:48 pm

Fingerprint and sessions?

Post by Terminux »

Hi,

I've read carefuly this page http://phpsec.org/projects/guide/4.html explaining methods to protect against sessions hijacking, and I have one question to which I can't solve any solution myself...

Tell me if I'm wrong, but sessions are completely and only stored on the server side. The user is only given a session identifier.
So if that is right, what is the point in adding salt to the $_SESSION['HTTP_USER_AGENT'] (they present it at the bottom, they add sthg like 'SHIFLETT').

The client is not going to store this data anyway so I see no additional challenge for authentication here. Am I wrong?

Thx by advance,
J
Gargoyle
Forum Contributor
Posts: 130
Joined: Wed Jul 14, 2010 12:25 am

Re: Fingerprint and sessions?

Post by Gargoyle »

perhaps you should go read the article again; the author clearly states that he assumes that the session has been compromised and he's adding an md5 checksum of the browser identification string to check it against the user's browser for further security. it can't hurt, but you better prevent your sessions from being hijacked in the first place.

other than that, read here why salting is a good idea:
http://www.thelampblog.com/2010/07/31/p ... s-hashing/
Post Reply