JAMESOMIGHTY Posted February 24, 2010 Share Posted February 24, 2010 ok i have this bit of code in my header to stop session hijacking but occasionaly it can make users suddenly log into other users accounts and be able to do stuff! } if(isset($_SESSION['userAgent']) && sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION['userAgent']) { echo ('[b]An error has occured with your account, please Sign-In again. Click <a href = "/login.php">HERE</a> to go to the sign in page.[/b]'); session_unset(); session_destroy(); $h->endpage(); exit(); } else { $_SESSION['userAgent'] = sha1($_SERVER['HTTP_USER_AGENT']); } if anyone can see a problem with this pls post the fix!!! Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted February 24, 2010 Share Posted February 24, 2010 Fail much? :/ This has been done by Zeddicus. You've edited it nothing major,Oh and done a bad job with no offence intended Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted February 24, 2010 Share Posted February 24, 2010 JAMESOMIGHTY who implemented the code maybe they can help. Quote Link to comment Share on other sites More sharing options...
seanybob Posted February 24, 2010 Share Posted February 24, 2010 That's like letting a kid steal a cookie from the cookie jar, then chasing him around the kitchen trying to get it back. You're doing it wrong. If you just secure user input, you don't have to worry about people stealing sessions. Make sure (especially) that profile signatures, forum signatures, mail messages, and any type of 'comment' posts have their content secured properly. It's better to lock up the cookie jar than go chasing around trying to catch the kid. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted February 28, 2010 Share Posted February 28, 2010 That's like letting a kid steal a cookie from the cookie jar, then chasing him around the kitchen trying to get it back. You're doing it wrong. If you just secure user input, you don't have to worry about people stealing sessions. Make sure (especially) that profile signatures, forum signatures, mail messages, and any type of 'comment' posts have their content secured properly. It's better to lock up the cookie jar than go chasing around trying to catch the kid. Well said sir :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.