Securing session hijacking on login

thedestroyer · July 26, 2010

Does anyone know to to stop session hijacking on the login page?

Zero-Affect · July 26, 2010

    # Joke
die('no!');

Don't think you can stop it on the login page.

thedestroyer · July 26, 2010

    # Joke
die('no!');
Don't think you can stop it on the login page.

wtf if youcouldnt stop it there wouldnt be any games around.....

Dominion · July 26, 2010

he said he can not stop it on the login page not that it can not be stopped ...

Haunted Dawg · July 26, 2010

If your on the login page, there are no session's being called, thus no major exploit on the login page.

thedestroyer · July 26, 2010

If your on the login page, there are no session's being called, thus no major exploit on the login page.

maybe i explained wrong then. What i mean is you can login as another player.

Haunted Dawg · July 26, 2010

Altho, Including on the sha1 function, i'd include a special text like this:

$_SESSION['HTTP_USER_AGENT'] = sha1('SomeRandom'.$_SERVER['HTTP_USER_AGENT'].'SomeRandom');

That way making it even more secure as now alot of people are going to know your hashing the USER AGENT, and can still spoof it.

I'd also suggest you make the random text something else and keeping it to yourself.

iSOS · July 26, 2010

Lol, that would be entering there username & password then lmfao, not session hijacking!

Zero-Affect · July 27, 2010

What he means is when i steal his session then switch my session code to his and while he's logged in i move around and delete stuff on his account.

I agree with HD would be much safer to add more to the base code.

Recommended Posts