|
PHP - Hijacking
To prevent PHP form Hijacking it's best to Turn off the register_globals. correct? But some of my applications stop responding when it's turned off. What is the risk? Any solution to avoid the risk?
Thanks. Ruth. Similar TutorialsThis topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=312886.0 I have my script protected against all types of sql injection, XSS injection, cookies and bots. But now i want to know whats the best way of preventing session hijacking? I know nothing can be 100% secured but i want to know how to prevent it And u know it: prevention is better than cure! which is the best place to put this code : Code: [Select] if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } like this : Code: [Select] class session { public $user_on=false; public $user_id; function __construct(){ //make sure that javascript can not access session variable ini_set('session.cookie_httponly',true); session_start(); //set the last ip the user has logged on with if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } $this->check_login(); } private function check_login(){ if(isset($_SESSION['user_id'])){ global $user; $this->user_id=$_SESSION['user_id']; $this->user_on=true; $user->find_by_id($this->user_id); } else { unset($this->user_id); $this->user_on=false; } } } OR : Code: [Select] function __construct(){ //make sure that javascript can not access session variable ini_set('session.cookie_httponly',true); session_start(); $this->check_login(); } private function check_login(){ if(isset($_SESSION['user_id'])){ global $user; [b]//set the last ip the user has logged on with if(isset($_SESSION['last_ip'])===false){ $_SESSION['last_ip']=$_SERVER['REMOTE_ADDR']; } if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); }[/b] elseif($_SESSION['last_ip']===$_SERVER['REMOTE_ADDR']){ $this->user_id=$_SESSION['user_id']; $this->user_on=true; $user->find_by_id($this->user_id); } } else { unset($this->user_id); $this->user_on=false; } } } I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content. To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in? My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive. |
|||||||