PHP Session Hijacking Detected

Question

I have this code:

if (isset( $_SESSION['user_agent'] )) {
    if ($_SESSION['user_agent'] != md5( $_SERVER['HTTP_USER_AGENT'] )) {
        die('Session error.');
    }   
}

Everything works fine. But every time I login (once per 24 hours), I get the error. Is the user agent changing or something?

Thanks for your help.

Are you sure that error is not shown at any other point in your code? What happens if `$_SESSION['user_agent']` is not set? — Ja͢ck, Feb 02 '13 at 14:59
Thanks for the response, although the error would only show **if** the session is set. — user1453094, Feb 02 '13 at 15:00
Chrome I've heard updates in the background and the user agent string changes as well. — Class, Feb 02 '13 at 15:00
If this happens every time, I would suggest simply debugging the actual user agent values and see why they changed. — Ja͢ck, Feb 02 '13 at 15:05

score 0 · Answer 1 · answered Feb 02 '13 at 14:58

0

Sessions have a limited lifetime http://www.php.net/manual/en/session.configuration.php usually minutes or some hours

answered Feb 02 '13 at 14:58

Maks3w

6,014
6
37
42

Thanks for the response, although the error would only show **if** the session is set. – user1453094 Feb 02 '13 at 15:02

score 0 · Answer 2 · answered Dec 29 '17 at 05:08

Anyone capable of hijacking sessions (i.e. via sniffing unencrypted HTTP) has the keys to the kingdom once an authenticated user comes along.

HTTP_USER_AGENT? Yeah, that's also sent in the clear, and the attacker can just spoof it. Any MitM applicance that steals/spoofs session cookies will generally also impersonate the user agent of the user's browser too.

The only solution here is HTTPS, which is now free thanks to Let's Encrypt.

PHP Session Hijacking Detected

2 Answers2