[nycphp-talk] Experts help needed (Sessions)
Joseph Crawford
codebowl at gmail.com
Thu Aug 4 08:58:59 EDT 2005
guys is this a bit better way to check session validity?
define('SES_KEY',
md5('custom_string'.$_ENV['PROCESSOR_REVISION'].$_ENV['PROCESSOR_ARCHITECTURE'].$_ENV['PROCESSOR_LEVEL'].'custon_string'));
$this->_key = md5($_SERVER['HTTP_USER_AGENT'].SES_KEY.$ses_id);
that value is created and stored in the db on session start, then in my
CheckSession function i am doing this
if( $key !== $data['identifier'] )
this ends up creating an identifier similar to this
733f97f78f00cd6d2f0d7955698ebac4a2aad2e4fb76d0a5862838e087a20251
this is based on the users agent, the initial session key, and some server
stuff with some custom strings that i put in there.
This works just fine i just wanted to know if it would be easy for someone
to hijack a session with this added security. I am also wondering if i
should set a cookie, i am not yet sure that i want the user to be able to
log back in after they close thier browser, i mean atleast not without going
through the login form
--
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050804/4422141a/attachment.html>
More information about the talk
mailing list