Question

I m working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user s IP.

$salt      = "blahblahblah";
$tokenstr  = date( W ) . $salt . $_SERVER[ REMOTE_ADDR ];
$token_md5  = md5($tokenstr);
define("token_md5", $token_md5);

Currently, it s passed by GET or POST with every request, but I was wondering if I could avoid this by offering it as a cookie, since it is dependent on the user s IP. I m just now learning sessions, so I was wondering if there are any security concerns with doing that? Is it a bad idea?

Answer 1

Any data the user keeps can be stolen; any data a visitor sends could be spoofed. Better to store the remote IP in $_SESSION when the session is opened, and compare the remote IP with every request. If they don t match, it s probably a hijack. Generate a new ID and have the user log back in.

Answer 2

session_regenerate_id() is great for preventing session hijacking.

session_regenerate_id — Update the current session id with a newly generated one

Continuously rotate the session_id for every page visit. Makes it very difficult to hijack a constantly moving target.

Answer 3

I have done a RIA with the same approach you have done, and I just set up SSL on the application for security. Since Flex and remoting is sessionless. I d recommend using SSL. My co worker also developed an application with user login/logout and he did the same thing.

友情链接