[vox-tech] Security & IP

Alan H. Lake vox-tech@lists.lugod.org
19 Feb 2003 12:12:27 -0500


I'm creating a PHP program that I'd like to protect against an attempt
to "hijack" a session.  I want to insure that the IP address of the
machine using the session is the same as that which started the
session.  The approach that I'm using is that, if the session's IP is
not stored in the session file, I'll store it.  If it is, I check to see
whether it matches the current IP.  If the two don't match, I think I've
been hijacked.

The problem is that I'm getting a false alarm because the 4th node of
the current IP doesn't always match that of the IP that started the
session.  The other three nodes do match.

Here are my questions.  Do I have adequate protection if I check just
the first three nodes?  Is there a better way to detect such an attempt?

The PHP code that I am using to get the IP addresses is this:
  if (getenv(HTTP_X_FORWARDED_FOR))
    $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
  else
    $ipaddr = $REMOTE_ADDR;


________________________________________________________________________
Alan H. Lake
Lake Information Works   
6999 Dolan Road
Glouster, OH  45732-9003 
Phone: 888-806-4201
Fax:   309-279-8695 
Cell:  916-276-0913
Email: alan.lake@lakeinfoworks.com
Site:  www.lakeinfoworks.com