PHP: Preventing Session Hijacking with token stored as a cookie?

Question

I\'m working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user\'s IP.

Answer 1

I have done a RIA with the same approach you have done, and I just set up SSL on the application for security. Since Flex and remoting is sessionless. I d recommend using SSL. My co worker also developed an application with user login/logout and he did the same thing.

Answer 2

Any data the user keeps can be stolen; any data a visitor sends could be spoofed. Better to store the remote IP in $_SESSION when the session is opened, and compare the remote IP with every request. If they don't match, it's probably a hijack. Generate a new ID and have the user log back in.

Answer 3

session_regenerate_id() is great for preventing session hijacking.

session_regenerate_id — Update the current session id with a newly generated one

Continuously rotate the session_id for every page visit. Makes it very difficult to hijack a constantly moving target.