How are sessions now protected/validated (useragent, ip) and is it necessary at all?

B

Barrakuda742018-04-29 12:49:18

PHP

Barrakuda74, 2018-04-29 12:49:18

You can kind of write down IP in them - but in the age of mobile phones that change IP at any time, somehow it does not look productive.
You can also do something like md5(session_id() . $_SERVER[HTTP_USER_AGENT]), and also write to the session. But some write that the browser is updated so often, and the number with the version there can be updated almost every day (and did anyone really measure it?).
You can also limit the number of requests for one session id, 5 requests - session_regenerate_id (), but it seems to me that session_regenerate_id was originally planned for something else.
Is it really necessary today? Do they steal cookies with session ids?
Or maybe someone can pull them out, and nothing will save him anyway?))

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

X

xmoonlight, 2018-04-29
@Barrakuda74

It is unlikely that within one session both the browser and IP will change at the same time.
Therefore, with a SIMULTANEOUS change: IP and User-Agent (everything is relative to the current session) - you can safely terminate all user sessions and force him to relogin.
If one thing changes, but the other does not change, and the signature for the package is TRUE, then we consider the session valid and do not break anything.
Of course, the secure and httpOnly flags for browser cookies are always set!