I apologize ahead of time, becuase I'm neither great at explaining things nor flow charts. This is not a specific code problem, but a general question on session security.
I'm trying to eliminate as many potential problems as possible at once. I think this takes care of:
- CSRF
- Session fixation
- Session prediction
- Cookie theft (through browser vulnerabilities)
- Session sidejacking
I realize the session can still be sidejacked if both the attacker's IP and user-agent header are the same as authenticated user's. I guess to make that bulletproof you would need SSL?
I would appreciate any critiques, if you can make out what I'm trying to say with the clusterfuck below. This is more or less what I'm doing:
EDIT - another question I had: Is it safe to assume that a user will not have an IP address that changes frequently enough for this to become a problem?