Hey guys, Anyone doing session validation between HTTP requests? I know that the HTTP headers can all be changed and spoofed, but for legitimate users, I expect the HTTP headers I'm using below to NOT change between requests, during the same session.
I've been looking into this lately, but ran across sites (like http://shiflett.org/articles/the-truth-about-sessions) that say that HTTP_ACCEPT_CHARSET can legitimately change between requests during a session. I've never run into this in testing, so I was wondering if somebody could confirm that statement? What about the other HTTP headers I'm using below. Can those legitimately and realistically change as well during a session? Any ideas, comments, or suggestions would be greatly welcomed! Thanks, Konstantin $client_id = ''; if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true) { $client_id .= $_SERVER['HTTP_ACCEPT_CHARSET']; } if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true) { $client_id .= $_SERVER['HTTP_ACCEPT_ENCODING']; } if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true) { $client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; } if (isset($_SERVER['HTTP_USER_AGENT']) === true) { $client_id .= $_SERVER['HTTP_USER_AGENT']; } if ($_SESSION['client_id_hash'] !== md5($client_id)) { header('Location: /logout'); exit(); } _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
