bahaa Posted May 28, 2011 Share Posted May 28, 2011 Hello, As Larry explained in the book, an attacker could use the session fixation technique to get control over a user's session ID, and one of the measures taking to prevent this or at least minimize it is by using the user's agent. I am not familiar with javascript at all, so I was wondering if it is possible to get the user's screen resolution and the user's pc name with javascript and use it with php. I think it would be more secure to check for user agent session, the screen resolution and the pc name. Link to comment Share on other sites More sharing options...
Larry Posted June 1, 2011 Share Posted June 1, 2011 I disagree. I don't think you can get the user's PC name using JavaScript (or at least I hope not, as that'd be terribly insecure) and the screen resolution will not have as many common values as the user agent. Also, if it's something detectable by JavaScript, it could easily be faked. Another technique for preventing session fixation is to use session_regenerate_id() after a person logs in to automatically change the session ID. Link to comment Share on other sites More sharing options...
HartleySan Posted June 2, 2011 Share Posted June 2, 2011 In the context you're referring to, the user agent more or less equates to information about the browser being used. In other words, the browser name, version, etc. You cannot confirm any of the things you want to confirm from JS. As Larry said, that poses a huge security risk to give JS access to a user's local machine. Basically, just do what Larry suggests. Link to comment Share on other sites More sharing options...
bahaa Posted June 2, 2011 Author Share Posted June 2, 2011 Thanks guys I will stick with the user's agent and session_regenerate_id() . Link to comment Share on other sites More sharing options...
HartleySan Posted June 2, 2011 Share Posted June 2, 2011 We were saying that you don't need to use the user agent information. Just use session_regenerate_id(). Link to comment Share on other sites More sharing options...
Recommended Posts