On 8/29/07, tedd <tedd@xxxxxxxxxxxx> wrote: > When the user first generates a session id, grab the user's ip and > store both in mysql. > > In the code, always check the session id against the user's ip before > doing anything. If they don't match with what you started with, then > stop. That should stop most Session-Hijackers, don't you think? I can't comment on session hijacking, but you might be breaking sessions for some users by this. AOL, for example, uses multiple proxy servers for all their users' traffic (http://webmaster.info.aol.com/proxyinfo.html), so it is quite possible that requests from one user with the same session token (cookie, hidden form field, etc.) could come from multiple IP addresses. I suspect you'd see something similar for Tor users (http://tor.eff.org/). According to Wikipedia (http://en.wikipedia.org/wiki/WP:AOLA), AOL includes an X-Forwarded-For header in any proxy requests that includes the actual client's IP address - if you really want to tie a session token to a particular IP address, you could check for this header as well. X-Forwarded-For won't help with Tor users, of course, but I don't know how large of a section of your user base that would affect... Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
