stackoom
  简体   繁体   中英

PHP session spoofing/hijacking

 原文  2014-05-12 04:31:04       php/ session

Question

When someone logs in to my site, they obviously fill out a form with username and password. The form then checks if that exists in the database (the encrypted version of that password of course), and then starts a session with that person's user ID as the session ID.

Is this prone to any kind of spoofing/hijacking/hacking? Is there a safer way to do sessions so that no one can "log into someone elses account" by mistake? 

        session_regenerate_id();

        $_SESSION['SESS_MEMBER_ID'] = $uid;
        $_SESSION['SESS_NAME'] = $email;

        session_write_close();

1 answers

solution1
 1  2014-05-12 04:38:29

Your best option is to check the IP address of the user or their user-agent.

Of course they will have to re-authenticate if their IP address changes. For example if a user on a smartphone leaves their WiFi range and start using their cellular network. I think the security pay off for the minor inconvenience of likely a small percentage of users is worth it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Session hijacking and PHP Prevent session hijacking in PHP PHP Session Fixation / Hijacking PHP Session Hijacking PHP Session Hijacking Detected Session spoofing (PHP) Proper session hijacking prevention in PHP PHP Session id cookie spoofing PHP: Preventing Session Hijacking with token stored as a cookie? php session hijacking - is HTTPS enough? Suggestions for fingerprinting?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM