Hi all,
I am new to sessions and am trying to make a simple sessions security function. The function checks to see if a session variable has been set. If not it starts a new session. If the variable has been set then it should check user agent and address, if that is ok, then it should set a new session id. If I successfully login and then reload the page I think I should get a new session id and the function should return 3. What happens is the function always returns 1 with the same session id.
function chk_session(){
if (!isset($_SESSION['login_ok'])){
session_start();
$_SESSION['login_ok'] = 1;
$_SESSION['old_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['old_remote_addr'] = $_SERVER['REMOTE_ADDR'];
$i = 1;
}
else if ($_SESSION['old_user_agent'] != $_SERVER['HTTP_USER_AGENT'] || $_SESSION['old_remote_addr'] != $_SERVER['REMOTE_ADDR']){
session_destroy();
$i = 2;
}
else{
session_regenerate_id();
$i = 3;
}
return $i;
}
This one works:
function chk_session(){
$i = 0;
if (!isset($_COOKIE['PHPSESSID'])){ //New session.
session_start();
$_SESSION['login_ok'] = "OK";
session_register($_SESSION['login_ok']);
$_SESSION['old_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['old_remote_addr'] = $_SERVER['REMOTE_ADDR'];
$i = 1;
}
else{
$name = session_name();
session_start('$name');
if ($_SESSION['old_user_agent'] !== $_SERVER['HTTP_USER_AGENT'] || $_SESSION['old_remote_addr'] !== $_SERVER['REMOTE_ADDR']){
$_SESSION = array();
session_destroy(); //More than one computer with same session id.
$i = 2;
}
else{
session_regenerate_id(); //Get new session id for fixation attack protection
$i = 3;
}
}
return $i;
}
