I am pretty new to Web Development and I read about CSRF, XSS, and Session Hijacking. One proposed solution is to simply use a nonce to check the validity of requests. I wrote this script in PHP to prevent session hijacking. I think it is similar in spirit to regenerating the session ID, in that identifiers, or their combination (session ID and the nonce) are changed at every request.
if(!isset($_SESSION["user"]["nonce"]) ||
$_SESSION["user"]["nonce"] == $_COOKIE["SITE_nonce"])
{
$nonce = md5(uniqid());
$_SESSION["user"]["nonce"] = $nonce
setcookie("SITE_nonce", $nonce, 0, "/path");
}
else
die("Invalid Request");
Is this enough? I really do not know if I can afford SSL, and I know that it would be a good solution to session highjacks, but I am hoping for some insight to this approach. Am I missing something?
This is really a common problem - discussed many times before. I suggest you visit security pages such as http://owasp.com/index.php/Main_Page for a bunch of very good guides.
As for your implementation: you can also store some sort of hash that you generate first time person comes gets a session and an IP. Also I guess a good time out on cookie.