NYCPHP Meetup

NYPHP.org

[nycphp-talk] Session security: protecting against hijacking attempts

Eric Rank flakie at gmail.com
Wed Dec 15 15:26:34 EST 2004


Hi all,

I'm looking for a good standard practice for authenticating Sessions
to protect against hijacking attempts. What have you tried? What
works? What doesn't?

I know that the only REAL way to protext against this is to use SSL,
but I'm trying to get as secure as possible without SSL.

So far I've decided that as a minimum I can check the user agent and
the remote ip address on each page request to see if a session is
hijacked. This is the most obvious way to see if the session is being
used by a different user. However, these things can be spoofed, and in
fact, they probably don't even need to be spoofed if 2 users are
behind the same router and have the same user agent.

What else can one do to protect?

Thanks,

Eric Rank



More information about the talk mailing list