Prior to making this post i posted a code example about storing sessions in a database. I showed you how to do some session hijacking checks based on the users ip (in the function CheckSession) I believe i also mentioned that checking by a users IP is not the best way you could do this since AOL users tunnel through a proxy thier IP is bound to change. Here i am going to show another method that was brought to my attention by Chris Shiflett.
A good way to check that a person is who they are is by monitoring thier behavior. If something is consistant for X page loads then it all of the sudden changes, this is abnormal behavior. Basically on the first page load this will store the users UserAgent into a session variable and then when the page is loaded again it compares the 2, if they match it will increment a counter by 1. If the user UserAgent changes, it will check to see if the counter has hit UA_THRESHOLD, if so then the users UserAgent has not changed over the last X page loads and it is not normal for thier UserAgent to change. At this point it will display the password dialog. We dont want to be harsh when dealing with the session because it could well be the same user, so we will prompt for thier password. If they enter an incorrect password more than PW_MAX_CHECKS times it will destroy the session and redirect to the index page. If they enter the correct password though, it will reset the counter and allow the user to continue on.
You can use this method with any type of tracking. The basic method is tracking the users activity and when something doesnt seem right, handle the situation lightly. For the users who's UserAgent changes frequently, there is not much you could do, maybe fall back to a different check based on this method using the users IP.
If you learn from this code please leave some comments, many thanks to the NYPHP User Group for participating in this discussion and helping me to see different ways to accomplish this task. Many thanks to Chris Shiflett for pointing out this method.
// check to see if UA_CHECKS is instanciated, if not set it to 0
if(!isset($_SESSION['UA_CHECKS'])) $_SESSION['UA_CHECKS'] = 0;
// check to see if the users IP address has been set, if not set it.
if(!isset($_SESSION['HTTP_USER_AGENT'])) $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
// check to see if the UA has changed
if($_SESSION['HTTP_USER_AGENT'] == $_SERVER['HTTP_USER_AGENT']) {
++$_SESSION['UA_CHECKS'];
} else {
// Check to see if the UA_CHECKS has been completed UA_THRESHOLD times
if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) {
// It's not normal for the users UA to change frequently
sessionReValidate($pwError);
} else {
unset($_SESSION['UA_CHECKS']);
unset($_SESSION['HTTP_USER_AGENT']);
}
}
}
