PHP session var enough for user auth?

Question

Scenario:

• After a user has logged in, a session variable is set confirming their login.
• At the top of every page, login session variable is confirmed vali

Answer 1

There is nothing you can do, except use HTTPS.

It doesn't matter how many cookies you add or what data you hash; it can all be sniffed and sent back to the server.

If you're going to force a user to use a single UA throughout the life of their request, that can help: you don't need any special hashing business, because you're hashing it into $_SESSION which neither the user nor the hijacker can access directly, so why bother hashing it? Might as well just store $_SESSION["reportedUA"] = $_SERVER["HTTP_USER_AGENT"] on log-in and then check reportedUA on each request.

That, too, is trivial to hijack, once you realise it's happening, as you need only sniff the reported UA when you sniff the session cookie, and start using that.

What next? IP address? Session hijacking might be happening from behind a NAT, in which case you're screwed. Your users might be using dial-up, in which case they're screwed.

This problem has no solution: there is no way. There couldn't be a way. If a hacker can see your session cookies, then they can mess you up, because there's no additional information or challenge related to something only the user knows (i.e. password) that's sent with each request.

The only way to make the session secure is to secure the entire session.