Hijackin' PHP sessions?

Anon

If someone was to sniff the sessionid of a php4 session, would he then be able to hijack it?

Anon

It's possible.

One solution is to log the REMOTE_ADDR in the session and check it against the REMOTE_ADDR of the client at each page request.

acebone

Yes - I thought about that, I don't know anything about IP-spoofing though, but that's probably not my concern? I mean it must be up to the folks maintaing the server and the firewall(s)?

matts

You may want to watch out for proxies. For example, AOL may make requests from multiple IPS becauase their requests are being proxied.

What about using the referring tag and make sure the user didn't just type the URL with the session into the website. Make sure that they came to your site without a sessionid set. If they did come with a session, assign them a new session.

Mike Hall wrote:

It\\'s possible.

One solution is to log the REMOTE_ADDR in the session and check it against the REMOTE_ADDR of the client at each page request.