I use HTTPS, but I want to minimize the risk that someone will maliciously process their cookies with a session ID that someone else has recently used.
As a session variable, I have an expiration time, so a session is considered invalid if it has not been used recently, so I believe that the window of opportunity is when the victim is active or has recently left the site without logging out properly.
I do not expect large volumes of traffic, and I use standard php methods for generating session identifiers. I believe that the "risk" of someone actually succeeds (or even tries) to capture someone's session here is close to zero.
What I would like to do is to "identify" the remote user without using it $_SERVER['REMOTE_ADDR']. My thoughts are that the attacker will have to both find the correct session identifier and impersonate different properties of the actual user.
I do not want to force the user to use the certificate for login. I want it to work in all standard web browsers, even for my grandmother and other non-technical people like her.
So, I originally wanted to ask: are there any “properties” of the HTTPS session that could be used? Will they be helpful? If so, how to find them? phpinfo()It does not show anything specific HTTPS. (Is it because he httpddoesn't expose him?)
HTTP_USER_AGENT + HTTP_ACCEPT + HTTP_ACCEPT_LANGUAGE + HTTP_ACCEPT_ENCODING + HTTP_ACCEPT_CHARSET - , ?
! (, , , StackOverflow)
!