https://stackoverflow.com/questions/18127710
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianNo, it's not at all. I can re-create the session id for any IP, thus hijacking any session. Just leave the default session_id, make sure to always regenerate it upon login (to prevent session-fixation attacks) and store the IP along with the session, to verify that the session actually belongs to the user.
is session_id(md5(ip-address)) secure enough?
Question
I'm going to create a login screen. So if user enters the correct username and password, I'm going to create a session like this:
session_start();
$my_session_id = session_id(md5("user's remote ip address") );
then I'm going to save the $my_session_id back into the user table.
Everytime when I load a page, I'm going to check the session_id() against the field in the database to validate if the session is good or not.
Assuming the database is secured, is the code good and secure enough?
**Edit: Okay, I know it's not secure, but what about this:
session_start();
session_id();
session_regenerate_id(true);
$new_session_id = session_id();
//save the new_session_id into table
set $_SESSION['user_ip'] = user's remote ip
then on everypage check $_SESSION['user_ip'] and session_id against the database field
is it good enough? **
Solution
OTHER TIPS
No, it's not secure at all. Why would you do it? If you want to bind the session to IP address, store IP in session variable and check it.
when you start session it already create its own session id. It is not advisable to create its own.
If you want to store it in table you can get it by $sessionId = session_id(); and store in table. It will be better.
For more information you can go to :http://in3.php.net/session_id
You should check for users that has dynamic IP
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
