How can I make sure that when the user navigates and enters his pages, it is the actual user and not the one who hijacked the cookie/session?
(I cant make the user fill his user name and password every page, so that is not an option)
preguntado el 08 de noviembre de 11 a las 17:11
Set the "secure" flag on your cookies (see
session_set_cookie_params or the ini settings), redirect all HTTP requests to HTTPS, and only generate links to HTTPS (to prevent unnecessary redirects).
The "secure" flag tells the browser to never send the cookie over HTTP, e.g. if your user were to type in the HTTP url to your site. The SSL will take care of end-to-end encryption, protecting the cookie from eavesdropping. You could additionally do an IP check, but this would be inconvenient for some legitimate edge cases.
You can't. If someone has someone else's credentials then the battle is lost.
Run all your data over HTTPS so it is encrypted (so safe from being stolen in transit) and trust your users to secure their own end points (since you have no other choice).
Use a reasonable timeout (X minutes) and check for simultaneous activity from multiple IP addresses / browsers / OSes / etc. It isn't perfect, but may block most attackers.