开发者

Good Method To Prevent Session Hijacking?

Scenario: Upon starting a session on my site, I generate a rand token that is shown to the user that once. Say they “store” it away for later use. I then, INSERT the md5(token) into SQL with timestamp. When the user visits other pages like login, they would have to pass the token via URL as part of the validation process. I would check to see if the token exist and maybe UPDATE userid to this token.

So. Even if someone steals a user’s PHPSESSID cookie, wouldn’t it do ANY good to the ha开发者_如何学Gocker since they can’t access any of these pages without knowing the token?


You are right that they won't be able to access the pages without the token, but as an added point, sometimes I'd like to use IP tracking or browser tracking used concurrently as well.

The rationale being that even if someone gets a PHPSESSID cookie and the token, he would have to be coming from the same IP source as well as use the same browser. Then again these are just means of security by obscurity.

I recommend if you are really concerned about security, you can try looking at using a HTTPS connection. Hope it helped. Cheers!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜