What are some methods to stop cookie hijacking? I have a site that is 100% based on cookies and I want to prevent hijacking before it happens. Thanks
Are you concerned about somebody using a cookie to impersonate another user or are you concerned about the data stored in the cookie itself? If you are just concerned about the data then sessions are the solution you need. They won't prevent user impersonation by someone with access to the victims computer however. Sessions store a reference to a set of values on your server which you want associated with a particular user session. If you use sessions then you should check the IP address against a value stored for that session at login and although less useful I would also check the user agent and any other data you can get from the user. One thing to note with sessions is that they typically last for only a short period of time. So for purposes like auto-populating a login form with the users username sessions won't work and you'll need to use cookies.