NYCPHP Meetup

[nycphp-talk] session validation between http requests

Konstantin Rozinov krozinov at gmail.com
Thu Aug 6 01:16:00 EDT 2009


ping....sorry just wanted to see one last time if anyone had any
suggestions/ideas?

On Sat, Aug 1, 2009 at 3:35 AM, Konstantin Rozinov<krozinov at gmail.com> wrote:
> Hey guys,
>
> Anyone doing session validation between HTTP requests?  I know that
> the HTTP headers can all be changed and spoofed, but for legitimate
> users, I expect the HTTP headers I'm using below to NOT change between
> requests, during the same session.
>
> I've been looking into this lately, but ran across sites (like
> http://shiflett.org/articles/the-truth-about-sessions) that say that
> HTTP_ACCEPT_CHARSET can legitimately change between requests during a
> session.  I've never run into this in testing, so I was wondering if
> somebody could confirm that statement?
>
> What about the other HTTP headers I'm using below.  Can those
> legitimately and realistically change as well during a session?
>
> Any ideas, comments, or suggestions would be greatly welcomed!
>
> Thanks,
> Konstantin
>
>
> $client_id = '';
>
> if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true)
> {
>        $client_id .= $_SERVER['HTTP_ACCEPT_CHARSET'];
> }
> if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true)
> {
>        $client_id .= $_SERVER['HTTP_ACCEPT_ENCODING'];
> }
> if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true)
> {
>        $client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
> }
> if (isset($_SERVER['HTTP_USER_AGENT']) === true)
> {
>        $client_id .= $_SERVER['HTTP_USER_AGENT'];
> }
>
> if ($_SESSION['client_id_hash'] !== md5($client_id))
> {
>        header('Location: /logout');
>        exit();
> }
>



More information about the talk mailing list