I lock the ip address.
Does this mean than user can only login in with the same ip address? Or will the user logout and have to re-login to get a new session?
if (isset($_SESSION['last_ip']) === false) {
$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['last_ip'] != $_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}
This code will delete the session (logout) if the user's IP address changes.
So the user can log in from any IP address, but will be logged out if it changes.
This could work to prevent session hijacking, but it wont work very well if you're on a dynamic IP because your IP will keep changing.
It does. If the user's IP changes, he'll be logged out. Although an attacker could still mimic the IP if he knows it, so it's not totally secure. Take a look at these pages for more information on how to prevent session hijacking:
I'd also highly recommend Chris Shiflett. His article on session hijacking can be found here:
if (isset($_SESSION['last_ip']) === false) {
$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}
Above code means if session "last_ip" is not created yet, it will be created and stores values of user's current ip.
if ($_SESSION['last_ip'] != $_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}
Above code indicates that if session value of "last_ip" is not equal to your current ip, it will free all session variables(session_unset) and destroy all data registered to a session (session_destroy).
Let's describe real scenario.
e.g. I access your website so first block of code stores my current ip. Now my internet got disconnected and I reconnect to my isp which has dhcp enabled and gives new ip to me. So if visit your website again, second block of code checks that I have different IP so it will log me out.
Also edit your second block of code to this so that if session "last_ip" is not created yet, it won't throw php notice.
if (isset($_SESSION['last_ip']) && $_SESSION['last_ip'] != $_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}
