0

I'm just trying to make it a little more secure work for a user to use a stolen cookie.

I've read a post Is it possible for $_SERVER['HTTP_USER_AGENT'] to not be set? that say $_SERVER['HTTP_USER_AGENT'] might not be sent by user, the scenario is what type of user will try not to send $_SERVER['HTTP_USER_AGENT'], and is it the main user group of my site.

Below is my current remember_me table looks like and I'm working on the device column now.

CREATE TABLE IF NOT EXISTS `remember_me` (
      `rm_ID` varchar(4000) NOT NULL ,
      `rm_device` varchar(165)  NOT NULL ,
      `rm_IP_created` varchar(39) NOT NULL ,
      `rm_last_action` TIMESTAMP  NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
      `rm_cookie_created` TIMESTAMP,
      PRIMARY KEY (`remember_me`)
    )

If $_SERVER['HTTP_USER_AGENT'] is not suitable, what is the majority way for doing a device detection?

What I'm trying to do here is the prevent a cookie to be used in another device with different property such as cookie stored in Mac been used in window, or the version of web browser changed.

edited:

how about storing something like Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) which could be null, however does this change often? I'm not quite sure about http://php.net/manual/en/reserved.variables.server.php 's function

Community
  • 1
  • 1
Anonymous
  • 1,405
  • 4
  • 17
  • 26
  • 2
    There's no way to detect device. An HTTP query could be sent even by robot (via cURL, for example). So you should not rely in your application to user device information, especially if you're trying to organize security. – Alma Do Aug 14 '13 at 06:49
  • 1
    It is possible to be empty. Do a [file_get_contents](http://php.net/manual/en/function.file-get-contents.php) on a url and see that there is no user agent. You could deny access to your website to empty user agents. Web crawlers and browsers always set the user agent. – machineaddict Aug 14 '13 at 06:49
  • I'm just trying to get something like `Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)` which shown when I'm using `$_SERVER['HTTP_USER_AGENT']`. I'll disable remember me if no user agent found, its the majority group who has no user agent that I don't know – Anonymous Aug 14 '13 at 06:57
  • 1
    [Remember me is insecure](https://www.owasp.org/index.php/Guide_to_Authentication#Remember_Me), so by implementing it, you make your application less secure. Do you really need it? – Blender Aug 14 '13 at 06:58
  • $_SERVER['HTTP_USER_AGENT'] can be set by the user to whatever he wants... No need to be a big hacker. In chrome press F12 then click settings in bottom right corner, and in overrides you will find the first option User Agent... Easily done. So I wouldn't rely on that at all – Salketer Aug 14 '13 at 07:19
  • its sure that when cookie is stolen than you can't hope on the security(even the ip as maybe your friend has stolen it). Just making it to harass the person so that he has to do one more extra work -> store specific user working environment and paste it in the web browser. It will be annoying for me though – Anonymous Aug 14 '13 at 09:04

0 Answers0