When I was encountering this issue while building SugarCRM, I tracked and validated the IP address of the user (in addition to some other things). I only compared the first three sections of the IP address. This allowed for most of the locally variable IP addresses. I also made it possible to turn off the IP address validation for installations where a major variation in IP address was common. I think only comparing the beginning of the IP address helps you with the security without adding such a severe limitation to your application.

Example: "###.###.###.---" Only the portion of the IP address marked with '#' would be verified.

192.168.1.101
192.168.1.102
192.168.1.XXX

Are all considered equal.

Jacob

To prevent session fixation, which is basically guessing the SID or stealing it using various methods. NO matter how sophistacated your session logic is, it will definitely be vulnerable to sessid stealing to some degree. That's why you have to regenerate the ID everytime you do something important. For example if you're gonna be making a post or changing a setting in the admin, first run session-regenerate-id. Then the hacker has to go through the process of hacking you again. This basically gives the hacker a one time shot with an ID with all the time he wasted.

http://us.php.net/manual/en/function.session-regenerate-id.php

Or you can change the id every so turns

if($_SESSION['counter']==3) {session_regenerate_id();$_SESSION['counter']==0}

Also, $_SERVER['HTTP_USER_AGENT'] isn't very reliable. Try to avoid it not only for that reason, but because it's convenient for hackers bc they know agents are widely used for this. Instead try using $_SESSION['id_token'] = sha1(some crazy info like file memory, filename, time).

I guess the second one needs to be 'logged_in'?

Some resources regarding session security:

phpsec

shiflett

You can find a guide on session security in PHP here.

You can store the IP address, browser signature, etc. to identify the user. At each request, check it against the current values to see if anything suspicious happened.

Be aware that some people are behind providers that use absolutely dynamic IP addresses, so those people might get often logged out.

Terminology

• User: A visitor.
• Client: A particular web-capable software installed on a particular machine.

Understanding Sessions

In order to understand how to make your session secure, you must first understand how sessions work.

Let's see this piece of code:

session_start();

As soon as you call that, PHP will look for a cookie called PHPSESSID (by default). If it is not found, it will create one:

PHPSESSID=h8p6eoh3djplmnum2f696e4vq3

If it is found, it takes the value of PHPSESSID and then loads the corresponding session. That value is called a session_id.

That is the only thing the client will know. Whatever you add into the session variable stays on the server, and is never transfered to the client. That variable doesn't change if you change the content of $_SESSION. It always stays the same until you destroy it or it times out. Therefore, it is useless to try to obfuscate the contents of $_SESSION by hashing it or by other means as the client never receives or sends that information.

Then, in the case of a new session, you will set the variables:

$_SESSION['user'] = 'someuser';

The client will never see that information.

The Problem

A security issue may arise when a malicious user steals the session_id of an other user. Without some kind of check, he will then be free to impersonate that user. We need to find a way to uniquely identify the client (not the user).

One strategy (the most effective) involves checking if the IP of the client who started the session is the same as the IP of the person using the session.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}

// The Check on subsequent load
if($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) {
    die('Session MAY have been hijacked');
}

The problem with that strategy is that if a client uses a load-balancer, or (on long duration session) the user has a dynamic IP, it will trigger a false alert.

Another strategy involves checking the user-agent of the client:

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
}

// The Check on subsequent load
if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) {
    die('Session MAY have been hijacked');
}

The downside of that strategy is that if the client upgrades it's browser or installs an addon (some adds to the user-agent), the user-agent string will change and it will trigger a false alert.

Another strategy is to rotate the session_id on each 5 requests. That way, the session_id theoretically doesn't stay long enough to be hijacked.

if(logging_in()) {
    $_SESSION['user'] = 'someuser';
    $_SESSION['count'] = 5;
}

// The Check on subsequent load
if(($_SESSION['count'] -= 1) == 0) {
    session_regenerate_id();
    $_SESSION['count'] = 5;
}

You may combine each of these strategies as you wish, but you will also combine the downsides.

Unfortunately, no solution is fool-proof. If your session_id is compromised, you are pretty much done for. The above strategies are just stop-gap measures.