Hello. I'm trying to develop a secure session mechanism. When navigating between 2 pages, I'm using the following code. This is the code that I have in both the sending and receiving pages:
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
$token = $_SERVER['HTTP_USER_AGENT'];
$token .= 'asdfghjklzxcvbnm';
if ($_SESSION['HTTP_USER_AGENT'] != md5($token))
{
/* what to do here */
exit;
}
}
else
{
$token = $_SERVER['HTTP_USER_AGENT'];
$token .= 'asdfghjklzxcvbnm';
$_SESSION['HTTP_USER_AGENT'] = md5($token);
}
Additionally, I have the following code on just the receiving pages:
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
And then in one of my receiving pages in particular, once I've verified/sanitized the user input, I was going to perform another session_regenerate_id().
Any thoughts on the structure here. I basically used the code provided by the PHP Security Guide, under the topic of Sessions at:
http://phpsec.org/projects/guide/4.html
I also noticed in the article, the author mentions that:
"Some experts claim that the User-Agent header is not consistent enough to be used in the way described. The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other proxies in the same cluster. While I have never observed this myself (and feel comfortable relying on the consistency of User-Agent), it is something you may want to consider."
Has anyone ever noticed this? Also, from the above code, assuming that someone is attempting to perform a session hijacking, what's the best way to handle it? Just perform a header command and redirect them to the real website? Not sure what to do here. Thanks in advance!
