1

I am just wondering about the pros and cons of checking user-agent in a PHP login script. I find quite a bit of conflicting information over the internet and I wonder if it is worthwhile using it in my event lister login script.

Jimmy Sawczuk
  • 12,908
  • 7
  • 45
  • 60
Tracy
  • 93
  • 5
  • 3
    What are you trying to accomplish by looking at the user agent? – Tim Cooper Apr 28 '11 at 19:50
  • I was just thinking about using it as a additional check to validate the user that is logged in. I am currently using sessions and cookies for the remember me feature. I used http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication for reference. – Tracy Apr 28 '11 at 21:07

4 Answers4

1

Most people will tell you that the user agent can be spoofed and that it will provide you no protection. However, given the amount of people that can spoof user agents versus those that cannot I would recommend that you still add the user agent check.

Beware that if they upgrade their browser the user agent may change.

Do not rely solely on the user agent to validate the session and do not sacrifice other security measures just to be able to implement this one. Another suggestion is to not spit out an error code: "Invalid user agent". Make the people that are trying to get into your site have to figure it out because that way will deter more people from ever even trying.

In conclusion: add it, but don't rely on it being the sole security feature.

Flipper
  • 2,552
  • 3
  • 22
  • 32
0

The user agent is dead easy to spoof. For example, every time I visit google.com, my Firefox sends it the user-agent string "Google Instant sucks, and I don't keep cookies". (Thanks to the UAControl extension!)

You can't rely on the user agent for security purposes.

Will Martin
  • 3,874
  • 1
  • 22
  • 37
0

You probably know about user agent spoofing, so it shouldn't be used to authenticate users. But if you're using it as part of a history of login attempts (is this what event lister is?) then it's a useful extra bit of information.

Karl Andrew
  • 1,533
  • 11
  • 14
0

You can assume that for 'normal' users the user-agent string stays the same during a session.

I wouldn't use it as a hard check to prevent session hijacking.

Halcyon
  • 54,624
  • 10
  • 83
  • 122