I use HTTPS, but want to minimize the risk of someone evil crafting their own cookies with a session ID that someone else actually uses recently.
As a session variable I have an expiry time so the session is invalidated if it hasn't been used recently, so I figure the window of opportunity is when the victim is active or recently left the site without logging out properly.
I don't expect huge amounts of traffic and I use the standard php methods of generating session IDs. I believe the "risk" of someone actually succeed (or even try) hijacking someones session here is close to zero.
What I would want to do is to "identify" the remote user somehow, without using $_SERVER['REMOTE_ADDR']
. My thoughts being that the attacker would have to both find a valid session ID, as well as impersonating the different properties of the actual user.
I don't want to force the user to use a certificate to log in. I want it to work in all standard web browsers, even for my grandmother and other non tech-people like her.
So, what I originally wanted to ask was: are there any "properties" of the HTTPS session that could be used? Would they be useful? If so, how do I find them? phpinfo()
reveals nothing HTTPS specific. (Is it because httpd
doesn't expose it?)
Should I just use a concatenation of HTTP_USER_AGENT
+ HTTP_ACCEPT
+ HTTP_ACCEPT_LANGUAGE
+ HTTP_ACCEPT_ENCODING
+ HTTP_ACCEPT_CHARSET
or something similar that is assumed to be unique enough between users?
Very happy for all answers! (But please read the question before answering with only referrals to other questions on StackOverflow) Thank you!