PHP: Preventing Session Hijacking with token stored as a cookie?

Question

I\'m working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user\'s IP.

Answer 1

Any data the user keeps can be stolen; any data a visitor sends could be spoofed. Better to store the remote IP in $_SESSION when the session is opened, and compare the remote IP with every request. If they don't match, it's probably a hijack. Generate a new ID and have the user log back in.