Session hijacking and PHP

Question

Lets just consider the trust that the server have with the user.

Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentic

Answer 1

I would also suggest storing the user agent and ip information in the session, and verifying it on each request. It's not bullet-proof, but it is a fairly significant increase in robustness. While UA forging is really easy, IP forging, while possible, is MUCH harder... But you may have issues with users who are behind a round-robin IP system such as AOL users...