ping....sorry just wanted to see one last time if anyone had any suggestions/ideas?
On Sat, Aug 1, 2009 at 3:35 AM, Konstantin Rozinov<[email protected]> wrote: > Hey guys, > > Anyone doing session validation between HTTP requests? I know that > the HTTP headers can all be changed and spoofed, but for legitimate > users, I expect the HTTP headers I'm using below to NOT change between > requests, during the same session. > > I've been looking into this lately, but ran across sites (like > http://shiflett.org/articles/the-truth-about-sessions) that say that > HTTP_ACCEPT_CHARSET can legitimately change between requests during a > session. I've never run into this in testing, so I was wondering if > somebody could confirm that statement? > > What about the other HTTP headers I'm using below. Can those > legitimately and realistically change as well during a session? > > Any ideas, comments, or suggestions would be greatly welcomed! > > Thanks, > Konstantin > > > $client_id = ''; > > if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true) > { > $client_id .= $_SERVER['HTTP_ACCEPT_CHARSET']; > } > if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true) > { > $client_id .= $_SERVER['HTTP_ACCEPT_ENCODING']; > } > if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true) > { > $client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; > } > if (isset($_SERVER['HTTP_USER_AGENT']) === true) > { > $client_id .= $_SERVER['HTTP_USER_AGENT']; > } > > if ($_SESSION['client_id_hash'] !== md5($client_id)) > { > header('Location: /logout'); > exit(); > } > _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
