|
|
|
|
|
|
by atburrow
4730 days ago
|
|
|
What if the user gets their session hijacked when they're on a static or long-term dynamic IP? If the user were to relogin, their session ID would be the same. I think it would be beneficial to at least store a salt associated with their session and regenerate the salt when authenticating. sha256($password . $ip . $random_salt) You could also regenerate the salt periodically. |
|
|