Session ID Checking

PtotheDO

Hello all,

I basically want to thwart against session hijacking by using session ID checking. Simplly put, I have a popup window where I want to use a meta http-equiv=``refresh” to check whether the session id is okay. If there is no refresh, the user is logged off.

Other things to mention is that once a user is logged on to the system, the session_id() is inserted into a mysql session table. When the refresh happens, it gets the session_id() from the browser and looks for it in the table. If it's there, it keeps the user logged in, if not logs the user out. I have all this implemented, but I'm not exactly sure if it's working correctly.

Is there any way to test this? Also, if the popup is accidently closed I want the user to be logged off, anyways to do this?

Thanks for your time.
P

edwardsbc

The pop-up box could contain javascript which would call a php script to invalidate your session information in the database. However, there is nothing to prevent the user from disabling javascript in his browser.

I use the session id only as a unique identifier in a session table, much as you are doing. I just store a expiration time in the row. Each time the user hits a page I extend the timeout unless, of course, the user was inactive until past the timeout.

This does load your database somewhat as you will have to check the session table on each page load, and update it. Updates are slow, so you could make the code only update if the user was close to the timeout.

Why the big concern with hijacking? Are you using trans-SID (URL) sessions? Don't.