Re: Why are they more secure?

On Mar 12, 8:18 am, Gilles Ganault wrote:
> On Tue, 11 Mar 2008 10:19:51 +0000, Toby A Inkster
>
> wrote:
> >Sessions tend not to expire while they are being actively used, which
> >makes the expiration is sessions of little value in a security context.
>
> Thanks guys for the input. One site I know of uses sessions with
> HTTPS, and takes a very long time to check that a user is still
> active, so a session ID can remain accessible for a good 30mn :-/

The session_regenerate_id function in PHP mitigates this problem
somewhat, it cause a user with a valid session ID to be assigned a
different ID for every call. If you call session_regenerate_id on
every page view then every session ID is essentially valid for one
page view and one page view only.

Of course that's no guarantee that the session hasn't been hijacked,
but it does make hijacking the session in the first place far more
difficult. If you keep a note on the server of some additional data
that's unique to each connection (the IP address of the requester, for
example), you can keep an eye on it for changes. If for example
you're keeping track of a logged in user's IP and that IP changes part
way through the session then that's a sign that the session might have
been hijacked (of course it also might be a sign that the user is
behind a proxy that rotates his IP address between page views, no
approach is problem-free unfortunately). If that happens then you
could log the user out, or issue some kind of challenge/response test
or log it as suspicious activity, whatever seems appropriate for the
application in question.