While everything I wrote when I wrote about how to prevent session hijacking with PHP is true, there is another way to prevent session hijacking. In fact, it’s really simple and session hijacking is a completely worthless endeavor when you think about it.
Re-Authentication
If you have a membership site of some kind, your members have to log on or log in, right? They obviously know what their credentials are.
If you have a secure login form of some kind, it makes sense that you can create pages that require the same data when adding anything at all to the website. By doing so, you can render session hijacking a thing not worth pursuing.
The key here is that the member should have some kind of password storage and retrieval mechanism. I don’t use Internet Explorer for anything except Microsoft Updates on a virtual machine, but I know that both Firefox and Chrome have add-ons like LastPass that will store the data securely. There are specific programs for various operating systems as well, like KeePass Password Safe. These things are free!
If nothing else, most modern web browsers will let you store your data within the web browsers themselves, something I can only recommend in addition to one of the other methods.
An Example
Let’s say, for instance, that you’ve designed a nifty forum of some kind from scratch (something I’m still working on). It doesn’t matter what a would-be hacker can read on the forum; what matters is that you don’t want the hacker to have the ability to post anything, either as another member or as a member that doesn’t exist.
You can let the session hijacker read to his or her heart’s content but if you require a member name/password pair to actually post something, the hijacker can’t do it. Something like this would more than likely cause a hijacker to give up, unless the hijacker decides to attempt some other form of attack.
Thorough and Explicit Instructions
When you institute something like this, you have to make sure that each and every person who registers as a member is aware of what’s required of them.
If your website requires JavaScript and cookies, make it clear. The best place is the registration and login screens themselves. If they’re going to be required to re-enter their login credentials in order to post, make that clear as well.
You’re going to get a percentage of people who won’t read the instructions in front of them and another percentage of people who don’t read the language well enough to understand what it means. You need to be prepared for it and provide avenues like contact forms, sticky posts or whatever else you can think of to reduce the amount of support you’ll need to provide.