1

Possible Duplicate:
Preventing session hijacking

I am coding up my login and authentication system for a PHP web application and looking for best practices to prevent session hijacking. The login page set's sessions:

$_SESSION['email_address'] = $_POST['email_address'];
$_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];

Then in every page and action I check to make sure the session exists, and the ip address stored in the session matches the ip address in $_SERVER['REMOTE_ADDR'].

if(isset($_SESSION['email_address']) && isset($_SESSION['ip_address']) && $_SESSION['ip_address'] == $_SERVER['REMOTE_ADDR']) {
     //valid auth
}

Reading online though, some people say simply checking the ip address is NOT good enough. What else is needed? Also, there is talk of using session_regenerate_id(). How does that factor into my code? Do I call session_regenerate_id() on every page?

Thanks.

Community
  • 1
  • 1
Justin
  • 42,716
  • 77
  • 201
  • 296

1 Answers1

0

If you're coding your own login system, I hope you're extremely versed in all the security issues and don't rely on questions given to you by people online like this site. $_SESSION is automatically a security risk on any shared server. $_SESSION is available to ALL php processes running on the system. If any of your clients end up running your software on a shared server, you will have to plan for that.

Its also extremely easy to code mistakes that create security holes. You'd be better off using Yii or some framework that already provides strong authenatication measures. Yii, for instance, is about as basic as you can get if you want to be able to boil it down to just giving you some login and security plugins to start.

JamesHoux
  • 2,999
  • 3
  • 32
  • 50