session hijacking

[JAMESOMIGHTY]

ok i have this bit of code in my header to stop session hijacking but occasionaly it can make users suddenly log into other users accounts and be able to do stuff!

 

}
if(isset($_SESSION['userAgent']) && sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION['userAgent'])
{
echo ('[b]An error has occured with your account, please Sign-In again.

   	Click <a href = "/login.php">HERE</a> to go to the sign in page.[/b]');
session_unset();
session_destroy();
$h->endpage();
exit();
}

else
{

$_SESSION['userAgent'] = sha1($_SERVER['HTTP_USER_AGENT']);
}

 

if anyone can see a problem with this pls post the fix!!!

[Jordan Palmer]

Fail much? :/

 

This has been done by Zeddicus. You've edited it nothing major,Oh and done a bad job with no offence intended

[Zero-Affect]

JAMESOMIGHTY who implemented the code maybe they can help.

[seanybob]

That's like letting a kid steal a cookie from the cookie jar, then chasing him around the kitchen trying to get it back.

You're doing it wrong.

If you just secure user input, you don't have to worry about people stealing sessions. Make sure (especially) that profile signatures, forum signatures, mail messages, and any type of 'comment' posts have their content secured properly.

It's better to lock up the cookie jar than go chasing around trying to catch the kid.

[Magictallguy]

That's like letting a kid steal a cookie from the cookie jar, then chasing him around the kitchen trying to get it back.

You're doing it wrong.

If you just secure user input, you don't have to worry about people stealing sessions. Make sure (especially) that profile signatures, forum signatures, mail messages, and any type of 'comment' posts have their content secured properly.

It's better to lock up the cookie jar than go chasing around trying to catch the kid.

Well said sir :)