Stopping session hijacking
Would this work?
One thing I used to do back in the days when I didn't use a framework, was to store items in the session data. I would create a fingerprint and then check that fingerprint was valid on every page load.
You could store the IP address, but some ISPs -- I think AOL, to name one, changed the user's IP address randomly so you can't rely on that, because an AOL user would be continually logged out. One thing I used was the browser data -- such as browser identifier, language, etcetera. Whilst these are not always present, what I assumed when I did it was that if they didn't exist, it wasn't a valid user -- perhaps a bot or something like that.
There are, of course, plenty of other ways to ensure your session layer isn't compromised, which are well documented. However, at least in my opinion, your approach is certainly correct in theory.
Thanks for the info.
Yes I figured in theory that the method was a good way to go. But, sometimes you miss out something so it's always good to a 2nd opinion.
|All times are GMT. The time now is 09:44 AM.|
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0