73.6k views
5 votes
1. Session Hijacking is a vulnerability caused by an attacker gaining access to a user's session identifier and being able to use an account.

other users impersonating them.It is often used to gain access to administrative user accounts.
To protect against session hijacking, you can create a function in the PHP code
session checking with the following logic:
-Save the session remote address and user agent values in a new temporary session variable
-Create a last_ access session retrieved from the time() function
-If the value of the session remote address or session user agent originating from the http header is not the same as the value of the session remote address and temporary user agent,
then the session will be unset and destroyed and redirected to the login page
-If the time taken from the time() function is bigger than the last access session value + 3600 seconds, then the session will be unset and destroyed and redirected to the login page
Make the PHP code for the session hijacking protection logic above by creating a function called cekSession(), and implementing and calling the function on a simple PHP page which if the session is wrong it will be redirected to the login page

User Kavindra
by
8.3k points

1 Answer

3 votes

Final answer:

The PHP function cekSession() can help protect against session hijacking by monitoring session attributes such as the user's remote address and user agent, and the session's idle time. If these values change unexpectedly or the session is idle for too long, the session is ended and the user is redirected to the login page.

Step-by-step explanation:

Session hijacking is indeed a substantial security concern, and protection against it can be implemented in PHP. For the logic you've described, the function cek Session() could be written like this:

3600) {
session_unset();
session_destroy();
header('Location: login.php');
exit();
}
$_SESSION['LAST_ACTIVITY'] = time();
}
cek Session();
?>
User Jfoliveira
by
8.0k points