This has been asked a bunch of times. I am just curious as to if it is believe that the below code provides a fairly signicant level of security. are there other if's i should think about?
a few assumptions:
- if user does nothing in 5 seconds, log him out.
- if user is not coming from somePage.php log him out.
- if users ip address changes, log him out.
code below:
<?php
session_start();
$time = time();
$ip = $_SERVER['REMOTE_ADDR'];
if ($time - $_SESSION['time'] > 5)
{
//function to log out user...//echo "logged Out,Time";
}
elseif ($ip !== $_SESSION['ip'])
{
//function to log out user...//echo "logged out,IP";
}
elseif ($_SERVER['HTTP_REFERER'] !== "http://server.com/somePage.php")
{
//function to log out user...//echo "logged out,Refer";
}
else
{
//do sensitive stuff
}
$_SESSION['time'] = $time;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
?>
EDIT:
This is just some basic stuff in the "sensitive" area. on maybe a facebook level. I dont want anyone to get into who shouldn't be. but if they did, there would be some problems, but nuclear missles will not be launched.
5 seconds was my example for testing, clearly it would be longer.
Bryan,
if $_SERVER can be spoofed, are there better methods to ascertain the user's source ip?