Jump to content

How tie cookie to an ip address?

someguy321

By someguy321
in PHP Coding Help

 Share

Recommended Posts

Andy-H Advanced Member

Andy-H

Posted
Posted

Never heard of it but I guess it would work this way:


$addr = str_replace(".", "", $_SERVER['REMOTE_ADDR']);
//set cookie
if ( !isset($_COOKIE[$addr."-cookiename"]) )
{
   setcookie($addr . "-cookiename", "cookieval", time() + 56400, "", "", "", true);
}

//get cookie
if ( isset($_COOKIE[$addr . "-cookiename"]) )
{
   $val = $_COOKIE[$addr . "-cookiename"];
}

Link to comment
Share on other sites
johnsmith153 Advanced Member

johnsmith153

Posted
Posted

Tie this in with the login script.

 

When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something).

 

On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should.

 

If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off.

 

I always make admin areas use SSL for every page anyway so this wouldn't be needed for them.

Link to comment
Share on other sites
someguy321 Member

someguy321

Posted
  • Author
Posted

Tie this in with the login script.

 

When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something).

 

On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should.

 

If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off.

 

I always make admin areas use SSL for every page anyway so this wouldn't be needed for them.

 

Thanks!

 

Can you explain a bit more about how SSL makes it so they're protected from that same session hijacking?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.