As now protect/validinput session (useragent, ip) and whether you need it at all?

0 like 0 dislike
9 views
You can like to capture IP but in the age of cell phones, changing the IP at any time, as it is not productive looks.
You can still do something like md5(session_id() . $_SERVER[HTTP_USER_AGENT]), and also to record the session. But some write that the browser is updated so often, and the number of the version where he can almost every day to upgrade (and someone really measured?).
You can still limit the number of ω requests for the same session id, query 5 - session_regenerate_id(), but it seems to me that session_regenerate_id a few for other originally planned.

Do we want that today? If stealing cookies from ID shkami sessions?
Or maybe anyone they can get, and so nothing will save?))
by | 9 views

2 Answers

0 like 0 dislike
Unlikely inside one session will change and the browser and IP simultaneously.
Therefore, when the SIMULTANEOUS change of IP and User-Agent (relative to the current session) - you can safely pick off all user sessions and force him to logout.

If you change one thing, but does not change the other, and signed for the package - is CORRECT, then we consider the session valid and nothing interrupts.

Of course, the secure and httpOnly flags, browser for cook - set always!
by
0 like 0 dislike
The cookies need to set the secure and httpOnly flags
by

Related questions

0 like 0 dislike
1 answer
0 like 0 dislike
3 answers
asked Apr 27, 2019 by logpol32
0 like 0 dislike
2 answers
0 like 0 dislike
4 answers
asked May 21, 2019 by matthewstafford
110,608 questions
257,186 answers
0 comments
33,673 users