Session Validators

Session validators provide various protection against session hijacking. Session hijacking in particular has various drawbacks when you are protecting against it. Such as an IP address may change from the end user depending on their ISP; or a browsers user agent may change during the request either by a web browser extension OR an upgrade that retains session cookies.

Http User Agent

Zend\Session\Validator\HttpUserAgent provides a validator to check the session against the originally stored $_SERVER[‘HTTP_USER_AGENT’] variable. Validation will fail in the event that this does not match and throws an exception in Zend\Session\SessionManager after session_start() has been called.

Basic Usage

A basic example is one like the following:

1
2
3
4
5
use Zend\Session\Validator\HttpUserAgent;
use Zend\Session\SessionManager;

$manager = new SessionManager();
$manager->getValidatorChain()->attach('session.validate', array(new HttpUserAgent(), 'isValid'));

Remote Addr

Zend\Session\Validator\RemoteAddr provides a validator to check the session against the originally stored $_SERVER[‘REMOTE_ADDR’] variable. Validation will fail in the event that this does not match and throws an exception in Zend\Session\SessionManager after session_start() has been called.

Basic Usage

A basic example is one like the following:

1
2
3
4
5
use Zend\Session\Validator\RemoteAddr;
use Zend\Session\SessionManager;

$manager = new SessionManager();
$manager->getValidatorChain()->attach('session.validate', array(new RemoteAddr(), 'isValid'));

Custom Validators

You may want to provide your own custom validators to validate against other items from storing a token and validating a token to other various techniques. To create a custom validator you must implement the validation interface Zend\Session\Validator\ValidatorInterface.

Table Of Contents

Previous topic

Session Storage

Next topic

Zend\Soap\Server

This Page

Note: You need to stay logged into your GitHub account to contribute to the documentation.

Edit this document

Edit this document

The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.

  1. Login with your GitHub account.
  2. Go to Session Validators on GitHub.
  3. Edit file contents using GitHub's text editor in your web browser
  4. Fill in the Commit message text box at the end of the page telling why you did the changes. Press Propose file change button next to it when done.
  5. On Send a pull request page you don't need to fill in text anymore. Just press Send pull request button.
  6. Your changes are now queued for review under project's Pull requests tab on GitHub.