Good Method To Prevent Session Hijacking?

Question

Scenario: Upon starting a session on my site, I generate a rand token that is shown to the user that once. Say they “store” it away for later use. I then, INSERT the md5(token) into SQL with timestamp. When the user visits other pages like login, they would have to pass the token via URL as part of the validation process. I would check to see if the token exist and maybe UPDATE userid to this token.

So. Even if someone steals a user’s PHPSESSID cookie, wouldn’t it do ANY good to the hacker since they can’t access any of these pages without knowing the token?

score 1 · Answer 1 · answered May 01 '11 at 05:17

You are right that they won't be able to access the pages without the token, but as an added point, sometimes I'd like to use IP tracking or browser tracking used concurrently as well.

The rationale being that even if someone gets a PHPSESSID cookie and the token, he would have to be coming from the same IP source as well as use the same browser. Then again these are just means of security by obscurity.

I recommend if you are really concerned about security, you can try looking at using a HTTPS connection. Hope it helped. Cheers!

good idea about the ssl. that would help peeking on the token. thanks that helped!! — Newphper, May 01 '11 at 05:23

Good Method To Prevent Session Hijacking?

1 Answers1