Code Forums - View Single Post

idx · 07-16-2005, 07:07 PM

http://www.sitepoint.com/blog-post-view.php?id=156260

Especially check out the session fixation pdf. Some good stuff in there with scenarios and various measures to take. A few basic ones:

- Change session ID's after the user has successfully logged in.
- Create a md5 hash of _something_ static, store it in the session and compare it on each page request. If it doesn't match then destroy the session. The _something_ could be: "FOO" + $_SERVER['HTTP_USER_AGENT'] + etc... (IP can be used, but AOL proxy users wont be using the same IP)

-r

07-16-2005, 07:07 PM	#9 (permalink)
idx Senior Grasshopper Join Date: Jun 2003 Location: FL Posts: 317	http://www.sitepoint.com/blog-post-view.php?id=156260 Especially check out the session fixation pdf. Some good stuff in there with scenarios and various measures to take. A few basic ones: - Change session ID's after the user has successfully logged in. - Create a md5 hash of _something_ static, store it in the session and compare it on each page request. If it doesn't match then destroy the session. The _something_ could be: "FOO" + $_SERVER['HTTP_USER_AGENT'] + etc... (IP can be used, but AOL proxy users wont be using the same IP) -r