Menu
I lock the ip address.
Does this mean than user can only login in with the same ip address? Or will the user logout and have to re-login to get a new session?
if (isset($_SESSION['last_ip']) === false) { $_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR']; } if ($_SESSION['last_ip'] != $_SERVER['REMOTE_ADDR']){ session_unset(); session_destroy(); } 
975
Here's a simple PHP snippet that you can place at the top of a file to determine whether the IPv4 address of a request is blacklisted: $blacklist = array( '127.0. 0.1', '192.168.
php $blockIP = array("192.168. 0.1", "192.168. 0.2"); if(in_array($_SERVER['REMOTE_ADDR'], $blockIP)) { echo "BLOCK"; exit(); } else { echo "ALLOW"; } ?>
The simplest way to collect the visitor IP address in PHP is the REMOTE_ADDR. Pass the 'REMOTE_ADDR' in PHP $_SERVER variable. It will return the IP address of the visitor who is currently viewing the webpage.
Using getenv() function: To get the IP Address,we use getenv(“REMOTE_ADDR”) command. The getenv() function in PHP is used for retrieval of values of an environment variable in PHP. It is used to return the value of a specific environment variable.
This code will delete the session (logout) if the user's IP address changes.
So the user can log in from any IP address, but will be logged out if it changes.
This could work to prevent session hijacking, but it wont work very well if you're on a dynamic IP because your IP will keep changing.
132
It does. If the user's IP changes, he'll be logged out. Although an attacker could still mimic the IP if he knows it, so it's not totally secure. Take a look at these pages for more information on how to prevent session hijacking:
I'd also highly recommend Chris Shiflett. His article on session hijacking can be found here:
http://shiflett.org/articles/session-hijacking
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
