All geek questions in one place

PHP REMOTE_ADDR and secure sessions

One of the ways I've used security sessions in the past is also to record the IP addresses of clients and user agents in a handshake. Each time the client moves the page and calls session_start (), I also check that the IP address and user agent are still stored to prevent hijacking.

But if someone connects from a network of companies, then all users will likely have the same external static IP address, and they can also very easily use the same user agent. Is it possible to use other indicators that are local only to the physical machine?

thank

+3
source share
3 answers

Actually not in terms of publicly available and reliable indicators, no. There are headers such as those X-HTTP-FORWARDED-FORsometimes sent by Proxies, but any self-respecting router does not tell the server its clients are accessing.

I think the best you can do is a combination

  • Cookie session
  • User Agent String

I would not check the IP address first for the reason you mentioned, and secondly, because some Internet providers, such as AOL, use proxies that can have the same client IP address several times in the course of the same session.

"" , , - Geolocation. cookie IP, , , , ( ) , , , - . "", - , VPN.

, -, - . , . MaxMind Geobytes. , , , , Amazon, PayPal .., .

+2

, . , , -.

0

Session ID were invented as unique

-3
source

Source: https://habr.com/ru/post/1743943/

More articles:


All Articles