[nycphp-talk] session validation between http requests

Konstantin Rozinov krozinov at
Sat Aug 1 03:35:06 EDT 2009

Hey guys,

Anyone doing session validation between HTTP requests?  I know that
the HTTP headers can all be changed and spoofed, but for legitimate
users, I expect the HTTP headers I'm using below to NOT change between
requests, during the same session.

I've been looking into this lately, but ran across sites (like that say that
HTTP_ACCEPT_CHARSET can legitimately change between requests during a
session.  I've never run into this in testing, so I was wondering if
somebody could confirm that statement?

What about the other HTTP headers I'm using below.  Can those
legitimately and realistically change as well during a session?

Any ideas, comments, or suggestions would be greatly welcomed!


$client_id = '';

if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true)
	$client_id .= $_SERVER['HTTP_ACCEPT_CHARSET'];
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true)
	$client_id .= $_SERVER['HTTP_ACCEPT_ENCODING'];
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true)
	$client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
if (isset($_SERVER['HTTP_USER_AGENT']) === true)
	$client_id .= $_SERVER['HTTP_USER_AGENT'];

if ($_SESSION['client_id_hash'] !== md5($client_id))
	header('Location: /logout');

More information about the talk mailing list