Hi, I would like to know if there is anyway, to improve this code to protect it from being hacked and session hijacked. Is there anyway on how I can improve this code? session_start(); if(isset($_SESSION['user']) && !empty($_SESSION['user'])) {return true;}else {return false; }
<?php session_start(); if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { /* Prompt for password */ exit; } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } ?> You can add your script along with this,it basically take care of wrong user-agent associated with session....and secure your script from "Session Hijacking"
see.... A typical HTTP request: GET / HTTP/1.1 Host: example.org User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=1234 you can see PHPSESSID that can be hijacked easily....but if a hacker is using some other user agent as there are many...then the script i posted will easily protect you from this. $_SESSION['HTTP_USER_AGENT'] this is basically a variable for user agent....so even if your PHP session is hijacked...this security will save you.
The above isn't really an acceptable method of preventing hijacking. Realistically there's 3 browsers that compromise 90% of all users. If you are actually having a problem with session hijacking there's a good chance that the hijacker would be using the same browser even if only by chance. First off, I would use SSL if at all possible. By doing this the hijacker could not easily get access to the session information without having access to the user's computer. What are you trying to secure?
Another option is to have an IP session data value, and if the IP of the request doesn't match the session IP, invalidate it. Of course, this is going to devalue the experience of people on a mobile network or who have a dynamic IP.