Im pretty new to PHP and have just been told a script I am building is fairly vulnerable to session hijacking. Can anyone please give me any ideas how you can prevent this. Is there a definitive way that you use?? Help will be much appreciated
remind me again, how can this get highjacked? i can be wrong here but I thought that... page 1: session_start(); $sid = session_id(); // makes it a new one. page 2: session_start(); $sid = session_id(); // same as page 1. you don't need to actually pass the session id to page 2 like ?sid=123291873122213123 even if for whatever reason somebody can obtain a particular session id (say, from their browser's cookies), it's not a clientside setting, trust into the server alone and have register_globals off.
You will need to keep a signature of user's session in a session variable: /* Right when you log the user in */ if (usernameandpasswordvalid()) { session_regenerate_id(); // This will take care of session fixation attacks */ $_SESSION['valid_user'] = true; $_SESSION['user_sig'] = md5('SOME SECRET KEYWORD' .$_SERVER['HTTP_USER_AGENT']); /* For session hijacking; user agent is most likely to stay the same */ } PHP: Now in other pages, you will have to check and see if the user is valid like this: if ($_SESSION['valid_user'] && $_SESSION['user_sig'] == md5('SOME SECRET KEYWORD' .$_SERVER['HTTP_USER_AGENT'])) { define('VALID_USER', true); } else { define('VALID_USER', false); } PHP: This is a very strong session...