PHP Session - Multiple Users With 1 IP

Question

On Monday, I thought I had solved the session hijacking security issue by setting the session as the user IP, until I logged in. I had two users with the same IP (myself and a test user) and it kept switching between the two. Is there a way to prevent this and allow two users with the same IP register on my site?

Thanks in advance, Terry.

Patient: Doctor, it hurts when I do this. Doctor: So don't do that. — Tyler Eaves, Mar 22 '12 at 19:08
Something wrong with using PHP's standard session ID generator? An IP is not, has not been, and never can been a unique identifier of a single person. — Marc B, Mar 22 '12 at 19:08
http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking — Mike B, Mar 22 '12 at 19:10
`session_start()` will produce a perfectly useable and fairly secure session ID token on its own. Using an IP for that id token is just plain bad. — Marc B, Mar 22 '12 at 19:15

score 1 · Accepted Answer · answered Mar 22 '12 at 19:17

1

You may have been reading advice about storing the user's IP in a table along with the session id (not in place of). You'd then check to make sure they're coming from the same IP on subsequent requests, otherwise, force them to login again. This method has problems as well a user's ip can change as often as every ten minutes depending on their ISP!

Use the session id provided by PHP as it's unique and difficult to guess. Require it to be read from a cookie and never from the URL.

answered Mar 22 '12 at 19:17

webbiedave

48,414
8
88
101

[From Here](http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking/5081453#5081453): "Include the user's IP address from $_SERVER['REMOTE_ADDR'] in the session. Basically, when the session starts, store it in something like $_SESSION['remote_ip']. This may be problematic from some ISPs that use multiple IP addresses for their users (such as AOL used to do). But if you use it, it will be much more secure." – Mike B Mar 22 '12 at 19:20

score 1 · Answer 2 · answered Mar 22 '12 at 19:19

SSL the entire site if it is a concern and apply a short cookie time out. The ssl will encrypt the cookie and transmission so it can not be sniffed off the wire. A short time to live will make the cookie useless soon after it has been taken from the "logged in" computer if they have direct access to the system. So in short get a security cert and go on as normal with a normal php session.

score 0 · Answer 3 · answered Mar 22 '12 at 19:10

0

I take it you're looking for the user's information in the MySQL database, using their IP? That is wrong. The only way to be truely unique is with a primary key field.

Either store the primary key as the session and pull their data, or store relevant information in the session and only pull anything else when it is needed.

answered Mar 22 '12 at 19:10

Nahydrin

13,197
12
59
101

Thanks for the advice. That's what I was doing, until I read a few articles on "session hijacking". Apparently, this isn't the safest way to do it. Is there some other solution to prevent this? – Mar 22 '12 at 19:13

PHP Session - Multiple Users With 1 IP

3 Answers3