This article is considered outdated and remains available for archive purposes only.

Sessions have inherent problems, as most developers know. A session ID can be easily hijacked, and that can cause major problems with security in a website. There are ways around this - in PHP you can set up sessions so that the session ID can only be transmitted using cookies, but then you prevent those without cookies from logging in. One way around this problem is to tie your session ids to the user's IP address.

So here's a short tutorial explaining one technique for doing this. It is split into two parts - the first is the generation of the session ID. The second is to be included on every page, and is to re-verify the session ID of the user. You should also consider adding a page when someone tried to use an expired session on which is explains that if they have reconnected to the internet they may have to re-login (those with dynamic IP addresses for example).

Part One - Starting the Session

I am assuming at this point that the user has entered their username and password and these have been verified as accurate.

If you are using a version of PHP earlier that 4.2, you will need to seed your random number generator with the following line before the code below.

1. srand((double)microtime()*1000000 );

1. $rand=rand(1,9);
2. $session_id=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand);
3. $session_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand);
4. session_id($session_id);
5. session_start();

The above has generated a session id as follows:

1. A random number is created between 1 and 9 and used as the first character of the session id.
2. The first (11 plus random number) characters are taken from encrypted version of the IP address.
3. The remaining characters needed to create a 32 character session id are taken from a random section of the encrypted version of a random number between one and one million.

That number is then assigned to the session as the session ID. You can treat it exactly as a normal session id and call it the same way using PHP's built in session functions.

Part Two - Verifying the Session is valid on each page

It's all very well having a system set up to check whether a user is logged in, but we want to be sure that the user we think is using the site is the right person, and not someone who has hijacked their session id. So, we re-verify the session on each page we want to be secure, with the following function:

1. function session_verify() {
2. session_start();
3. if (substr(md5($REMOTE_ADDR), 0, 10+substr(session_id(), 0, 1)) == substr(session_id(), 1, 10 + substr(session_id(), 0, 1))) {
4. // Session Valid
5. $session_valid="yes";
6. } else {
7. // Session Not Valid
8. $session_valid="no";
9. }
10. return $session_valid;
11. }

Simply call this function however you like from whichever page you like and it will determine for you whether or not your session ID is authentic for the user.

And there we have it - more secure sessions. This is not a complete session management system (personally, I tie sessions to a MySQL database as well), but does mean that session hijacking is extremely difficult (in order for a hacker to hijack a session, they need to grab the session id of a user and spoof their IP address).