PHP: Preventing Session Hijacking with token stored as a cookie?

Question

I'm working on an RIA in PHP. To try to prevent session hijacking I introduced a token, generated at login, based off a salt, ISO-8601 week number and the user's IP.

$salt      = "blahblahblah";
$tokenstr  = date('W') . $salt . $_SERVER['REMOTE_ADDR'];
$token_md5  = md5($tokenstr);
define("token_md5", $token_md5); 

Currently, it's passed by GET or POST with every request, but I was wondering if I could avoid this by offering it as a cookie, since it is dependent on the user's IP. I'm just now learning sessions, so I was wondering if there are any security concerns with doing that? Is it a bad idea?

Answer 1

Any data the user keeps can be stolen; any data a visitor sends could be spoofed. Better to store the remote IP in $_SESSION when the session is opened, and compare the remote IP with every request. If they don't match, it's probably a hijack. Generate a new ID and have the user log back in.

Answer 2

I have done a RIA with the same approach you have done, and I just set up SSL on the application for security. Since Flex and remoting is sessionless. I d recommend using SSL. My co worker also developed an application with user login/logout and he did the same thing.

Answer 3

session_regenerate_id() is great for preventing session hijacking.

session_regenerate_id — Update the current session id with a newly generated one

Continuously rotate the session_id for every page visit. Makes it very difficult to hijack a constantly moving target.