>>Firesheep.
Anyone else have any ideas on this stuff and how to combat it server-side?
I was kind of thinking along those lines.
at initial log in, set a session var like:
$_SESSION['browser_hash'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
then, whenever a page loads and I check the session for authentication, add:
if($_SESSION['browser_hash'] != md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']) ){
exit("some sort of error message or maybe ask the user to re-confirm their password");
}
Not a perfect solution of course because the side-jacker could theoretically have the same user_agent string (or spoof yours if they new it) and, if they're already on your network, they probably have your IP too. But it would be a deterent. If you needed anything more secure, you should be using SSL anyway.