Session hijacking prevention...how far will my script get me? additional prevention procedures?

Question

When the user logs in the current session vairables are set

$_SESSION['user']['timeout'] = time();
$_SESSION['user']['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user']['agent'] = $_SERVER['HTTP_USER_AGENT'];

In my common.php page (required on ALL php pages) i have used the below script, which resets a 15 minute timer each time the user is active furhtermore checks the IP address and checks the user_agent, if they do not match that as of when they first logged in/when the session was first set, the session is unset furthermore with inactivity of up to 15 minutes the session is also unset.

... is what i have done a good method for preventing session hijacking furthermore is it secure and or is it enough? If not what more can be done?

if(!empty($_SESSION['user'])){  
    if ($_SESSION['user']['timeout'] + 15 * 60 < time()) {
        unset($_SESSION['user']); 
        } else {
        $_SESSION['user']['timeout'] = time();
        if($_SESSION['user']['ip'] != $_SERVER['REMOTE_ADDR']){
            unset($_SESSION['user']); 
        }
        if($_SESSION['user']['agent'] != $_SERVER['HTTP_USER_AGENT']){
            unset($_SESSION['user']); 
        }
    }
}

Answer 1

With the limitation of 15 miniatures you ensure that if the session hijacked, attacker can not use it for a long time, while the user leaved his/her machine or turned it off ( and has not logged off ). But what about the time that user is working and attacker has hijacked the session. Checking ip address is a good idea but there is a small limitation with it. while user doesn't have static ip address and he/she has been disconnected from the network and reconnected. A new ip address will be assigned to it. And this situation forces his session to be expired, while he is a valid user. Also this trick doesn't do anything for attackers that are in the same private LAN with valid user and they both are behind a gateway with a public ip address. because they both have same ip address in your server ( ip address of NAT or gateway ). In my opinion what you have done is good. But it is better to make the website secure against XSS and CSRF attacks. Preventing javascript injection in client. And if it is so important to prevent any such attacks, also using ssl to be secure againt network sniffers.