Securing PHP sessions via hash which incorporates user-agent no longer works for IE10


I have a session management class in PHP that regenerates a security hash every time the session is loaded in order to prevent session hijacking. Recently I've come across complaints that users with IE 10 keep getting logged out. I have traced this problem back to a possible issue with IE10 + unknown addons causing the user agent to vary slightly from one page load to the next. I have no proof that this is actually happening because I cannot reproduce it, but it makes sense that this would break the session if the case since even one character changing in the browsers user agent string would cause an invalid security hash to be generated, causing a log out.

My question is simple: Assuming the above is true, what other values are there to use in place of the user agent. This must be some sort of constant string that would likely vary between users and it must be supplied by the user. At first I was going to use the hashed version of the users password from the database, but then I realized that this is no good because its not being supplied by the user and thus would remain "correct" in the event of a hijacking attempt.

I know IP is bad as this can change for a user throughout a browsing session depending on their local network setup. I'm really not sure ifX-Forwarded-For is reliable but something tells me that it is not.

Perhaps the best solution is to set up some higher level browser detection and then use the reduced browser name so that slight variations in the UA string will not effect the string used in the hash...

Anyway, I'm just hoping to get some insight on this, hope some of you got something for me :P




I just took a look at PHP get_browser() and decided it would be best to just go with derrived strings from this function so that slight alerations to the user agent doesn't break the session:

// get browser data
$browser = get_browser();

// create security hash
// Other stuff is done here that I omitted from this post for security reasons :)
$_SESSION["security_hash"] = sha1($static_key . $dynamic_key . $browser->platform . $browser->browser . $browser->version);

People are also looking for solutions to the problem: Saving IMAP XLS Attchements with PHP


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.