looking for session validation feedback

Anon

situation: site uses sessions to track users 'movements through the site as well as store user specific values

requirement: come up with a decent anti-hijacking solution for the sessions that is not dependent on browser cookies

my proposal: multi-level validation system combined with setting realistic session expiration values (10 minutes on most pages with 20 on pages requiring lots of data entry) as follows...
- validate session id (restrict to 32 long, not belonging to an expired session, and not including any invalid characters)
- validate referrer if provided
- if session id is propogated via the URI, validate the user's ip against a submask of the ip that created the session.

by my estimates this should minimize the risk of session theft while not inconveniencing the visitors.

your opinions: ??????

opido

store and validate the following and you should be able to prevent most proxy problems:

HTTP_USER_AGENT
REMOTE_ADDR

You could md5 these and store it as a hash to validate against.

Stephen VanDyke

Anon

If a user is changing browsers in mid session, they deserve some funky behavior.

But as far as their ip address, I had considered using a partial mask, as there appear to be a significantly large number of ISP's that rotate IP addresses with each request (I've been told AOL will do this, but haven't verified it personally).

BTW, are you the VanDyke from the SSH client?

opido

BTW, are you the VanDyke from the SSH client?

No, but I wish I could get an email address there 🙂