On Wed, 19 Feb 2014 10:04:53 -0500, Aziz Saleh wrote > On Tue, Feb 18, 2014 at 9:07 PM, Vernon Nemitz <vnemitz@xxxxxxxx> wrote: > > > > By the way, one of the other messages I've received in response > > to my original question concerned a php.ini file setting, > > session.use_strict_mode > > (available PHP 5.5.2+) which appears to at least do the ignoring > > thing, if a browser sends session data to the Server which does > > not happen to match an existing session-data-file. Good show! > > > > vernnoner3voltazim > > Vernon Nemitz > > > > Glad you sorted it out. However, I don't think you understood > what I meant. My original thought is that you were worried > about session hijacking (someone finding out the session id > a user uses, example and admin) and going into your site and > plugin that ID into the URL (or cookie by default) to take > control over that session, basically login in by the session > id. What I do prevents that from happening by associating the > session id to not just any user, but to that specific user > that logged in. I do understand the idea, but not the implementation as you have so far described it. If the user has to keep identifying self to the web server, then that is data that the bad guy could obtain as easily as the session ID. However, it occurs to me that the IP address of the user, and that of the bad guy, should always be different. So, if the IP address was saved in association with the session ID, the server could check for a matching IP address each time a request reached it, that began identifying itself with a session ID. vernonner3voltazim Vernon Nemitz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
