<?php
session_start();
// After user logged in
session_regenerate_id();
$_SESSION['logged_in'] = 1;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
// Session Checking
function session_check(){
if(isset($_SESSION['logged_in']) && !empty($_SESSION['logged_in'])){
if(isset($_SESSION['ip']) && !empty($_SESSION['ip']) && ($_SESSION['ip'] == $_SERVER['REMOTE_ADDR'])){
if(isset($_SESSION['agent']) && !empty($_SESSION['agent']) && ($_SESSION['agent'] == $_SERVER['HTTP_USER_AGENT'])){
return true;
} else {
echo "Not allowed to view this page. Error no: 3. You will be redrected to login page in few seconds";
header('Refresh: 3; url=./login.php');
}
} else {
echo "Not allowed to view this page. Error no: 2. You will be redirected to login page in few seconds";
header('Refresh: 3; url=./login.php');
}
} else {
echo "You are not allowed to view this page. Error no: 1. You will be redirected to login page in few seconds";
header('Refresh: 3; url=./login.php');
return false;
}
}
And I keep getting error no2 when I run:
if(session_check()){ echo "something";}
Is it because I am using dynamic IP?
Is my code good enough to protect session hijacking?
If i exclude the ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']), it works perfectly..
Important Question:
What are your anti session hijacking methods? Can share with us? Using IP-checking, user-agent checking or probably other methods??