NYCPHP Meetup

[Chris Shiflett]

Dan Cech wrote:
> Your function would work the same way if it was:
> 
> $this->_key = $_SERVER['HTTP_USER_AGENT'];

I was about to point this out, too. The data within $_ENV is going to be 
consistent, so it can't help you to identify inconsistencies in the 
client's requests.

> Thus it doesn't actually provide any real added protection against
> session hijacking, because any attacker who can get hold of the session
> id will also be able to determine and spoof the user agent string.

That's not necessarily true. Judging something according to its strength 
as an identifier doesn't make a lot of sense in this context, either, 
and this is another remark I frequently observe.

The idea with these Defense in Depth mechanisms is to reduce the 
likelihood of session hijacking udner the condition that the session 
identifier has been captured. Every little thing helps.

A valid argument against user agent checking is that it can be 
inconsistent for the same user due to inconsistent HTTP proxy behavior. 
Thus, while it can help you identify inconsistencies, it's possible that 
some of these are false positives. These can be reduced somewhat by 
recording a user's history - someone with a consistent user agent for 
the last 100 requests is unlikely to send a different one in the same 
session, and a simple password prompt as "punishment" can make sure that 
any false positives don't piss off your legitimate users too much. :-)

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/