Securing PHP sessions via hash which incorporates user-agent no longer works for IE10
I have a session management class in PHP that regenerates a security hash every time the session is loaded in order to prevent session hijacking. Recently I've come across complaints that users with IE 10 keep getting logged out. I have traced this problem back to a possible issue with IE10 + unknown addons causing the user agent to vary slightly from one page load to the next. I have no proof that this is actually happening because I cannot reproduce it, but it makes sense that this would break the session if the case since even one character changing in the browsers user agent string would cause an invalid security hash to be generated, causing a log out.
My question is simple: Assuming the above is true, what other values are there to use in place of the user agent. This must be some sort of constant string that would likely vary between users and it must be supplied by the user. At first I was going to use the hashed version of the users password from the database, but then I realized that this is no good because its not being supplied by the user and thus would remain "correct" in the event of a hijacking attempt.
I know IP is bad as this can change for a user throughout a browsing session depending on their local network setup. I'm really not sure if
X-Forwarded-For is reliable but something tells me that it is not.
Perhaps the best solution is to set up some higher level browser detection and then use the reduced browser name so that slight variations in the UA string will not effect the string used in the hash...
Anyway, I'm just hoping to get some insight on this, hope some of you got something for me :P