Question Regarding Protecting The Session Id

[bahaa]

Hello,

 

As Larry explained in the book, an attacker could use the session fixation technique to get control over a user's session ID, and one of the measures taking to prevent this or at least minimize it is by using the user's agent.

I am not familiar with javascript at all, so I was wondering if it is possible to get the user's screen resolution and the user's pc name with javascript and use it with php.

I think it would be more secure to check for user agent session, the screen resolution and the pc name.

[Larry]

I disagree. I don't think you can get the user's PC name using JavaScript (or at least I hope not, as that'd be terribly insecure) and the screen resolution will not have as many common values as the user agent. Also, if it's something detectable by JavaScript, it could easily be faked.

 

Another technique for preventing session fixation is to use session_regenerate_id() after a person logs in to automatically change the session ID.

[HartleySan]

In the context you're referring to, the user agent more or less equates to information about the browser being used. In other words, the browser name, version, etc. You cannot confirm any of the things you want to confirm from JS. As Larry said, that poses a huge security risk to give JS access to a user's local machine.

 

Basically, just do what Larry suggests.

[bahaa]

Thanks guys

I will stick with the user's agent and session_regenerate_id() .

[HartleySan]

We were saying that you don't need to use the user agent information. Just use session_regenerate_id().