NYCPHP Meetup

[nycphp-talk] session validation between http requests

Konstantin Rozinov krozinov at gmail.com
Sat Aug 1 03:35:06 EDT 2009


Hey guys,

Anyone doing session validation between HTTP requests?  I know that
the HTTP headers can all be changed and spoofed, but for legitimate
users, I expect the HTTP headers I'm using below to NOT change between
requests, during the same session.

I've been looking into this lately, but ran across sites (like
http://shiflett.org/articles/the-truth-about-sessions) that say that
HTTP_ACCEPT_CHARSET can legitimately change between requests during a
session.  I've never run into this in testing, so I was wondering if
somebody could confirm that statement?

What about the other HTTP headers I'm using below.  Can those
legitimately and realistically change as well during a session?

Any ideas, comments, or suggestions would be greatly welcomed!

Thanks,
Konstantin


$client_id = '';

if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true)
{
	$client_id .= $_SERVER['HTTP_ACCEPT_CHARSET'];
}
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true)
{
	$client_id .= $_SERVER['HTTP_ACCEPT_ENCODING'];
}
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true)
{
	$client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
}
if (isset($_SERVER['HTTP_USER_AGENT']) === true)
{
	$client_id .= $_SERVER['HTTP_USER_AGENT'];
}

if ($_SESSION['client_id_hash'] !== md5($client_id))
{
	header('Location: /logout');
	exit();
}



More information about the talk mailing list