someguy321 Posted September 15, 2010 Share Posted September 15, 2010 I see all over the web that I should tie a session cookie to an ip to help stop some XSS session stealing, but I can't find HOW to do this anywhere. Can someone post some example code? Thanks! Quote Link to comment Share on other sites More sharing options...
Andy-H Posted September 15, 2010 Share Posted September 15, 2010 Never heard of it but I guess it would work this way: $addr = str_replace(".", "", $_SERVER['REMOTE_ADDR']); //set cookie if ( !isset($_COOKIE[$addr."-cookiename"]) ) { setcookie($addr . "-cookiename", "cookieval", time() + 56400, "", "", "", true); } //get cookie if ( isset($_COOKIE[$addr . "-cookiename"]) ) { $val = $_COOKIE[$addr . "-cookiename"]; } Quote Link to comment Share on other sites More sharing options...
johnsmith153 Posted September 15, 2010 Share Posted September 15, 2010 Tie this in with the login script. When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something). On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should. If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off. I always make admin areas use SSL for every page anyway so this wouldn't be needed for them. Quote Link to comment Share on other sites More sharing options...
someguy321 Posted September 15, 2010 Author Share Posted September 15, 2010 Tie this in with the login script. When someone logs in and you store their user id (or whatever) as $_SESSION['loggedInUserId'] (e.g.), also store their IP in $_SESSION['registeredIP'] (or something). On every page that you check $_SESSION['loggedInUserId'] also check if $_SESSION['registeredIP'] matches the user's IP - which of course it should. If a hacker then hijacks an active session then $_SESSION['loggedInUserId'] will obviously show the user's session they have stolen but $_SESSION['registeredIP'] certainly won't match their IP. In this case you ca throw them off. I always make admin areas use SSL for every page anyway so this wouldn't be needed for them. Thanks! Can you explain a bit more about how SSL makes it so they're protected from that same session hijacking? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.