I have this code:
if (isset( $_SESSION['user_agent'] )) {
if ($_SESSION['user_agent'] != md5( $_SERVER['HTTP_USER_AGENT'] )) {
die('Session error.');
}
}
Everything works fine. But every time I login (once per 24 hours), I get the error. Is the user agent changing or something?
Thanks for your help.
会话的生命周期有限,通常为数分钟或数小时, http: //www.php.net/manual/en/session.configuration.php
Anyone capable of hijacking sessions (ie via sniffing unencrypted HTTP) has the keys to the kingdom once an authenticated user comes along.
HTTP_USER_AGENT
? Yeah, that's also sent in the clear, and the attacker can just spoof it. Any MitM applicance that steals/spoofs session cookies will generally also impersonate the user agent of the user's browser too.
The only solution here is HTTPS, which is now free thanks to Let's Encrypt .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.