l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Feb 19 10:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] Security & IP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] Security & IP

I'm creating a PHP program that I'd like to protect against an attempt
to "hijack" a session.  I want to insure that the IP address of the
machine using the session is the same as that which started the
session.  The approach that I'm using is that, if the session's IP is
not stored in the session file, I'll store it.  If it is, I check to see
whether it matches the current IP.  If the two don't match, I think I've
been hijacked.

The problem is that I'm getting a false alarm because the 4th node of
the current IP doesn't always match that of the IP that started the
session.  The other three nodes do match.

Here are my questions.  Do I have adequate protection if I check just
the first three nodes?  Is there a better way to detect such an attempt?

The PHP code that I am using to get the IP addresses is this:
  if (getenv(HTTP_X_FORWARDED_FOR))
    $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
    $ipaddr = $REMOTE_ADDR;

Alan H. Lake
Lake Information Works   
6999 Dolan Road
Glouster, OH  45732-9003 
Phone: 888-806-4201
Fax:   309-279-8695 
Cell:  916-276-0913
Email: alan.lake@lakeinfoworks.com
Site:  www.lakeinfoworks.com

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!