Summary: Hamper session theft (session hijacking) and session fixation attacks.
Version: 2.2
Prerequisites: AuthUser
Status: Working
Maintainer: & Sven
Categories: Security
Discussion: SessionGuard-Talk?

Questions answered by this recipe

Can I make my wiki more secure?


Session theft is one method of impersonation. More details are explained in session security advice.

This recipe makes both attacks a bit harder by verifying some HTTP meta data in addition to the session key: It restricts the session validity to its original IP (subnet) and the same browser name. An attacker would have to fake both in order to steal a session. This recipe is good to use if you have a person login (for example with AuthUser) or use a password to change your wiki.

See also:


There are 2 steps to installing SessionGuard.

Step 1

Create a page call "Site.InvalidLoginInformation". You can customize this page any way you want.
Someone might put:
!!Your login information seems to be invalid.

Technical details: Your session ID seems to belong to another user.

Return to [[Main/HomePage|Home]].
In mine I put:
(:redirect Main.HomePage:)

Step 2

Copy SessionGuard.phpΔ to your cookbook directory.
If you are using AuthUser place this before it in your config.php:
or in your farmconfig.php enter:


Use "require" and not "include" - "For security stuff, always require."

Release Notes

  • Version 2.2 - Change pagename reference Site.SuspicionOfSessionTheft to Site.InvalidLoginInformation
  • Version 2.1 - added "if (!defined('PmWiki')) exit();"
  • Version 2.0 - renamed - old LoginGuard obsolete
  • Version 1.0 - Initial Release

See Also


 created and maintains recipe

Sven created initial code


See Discussion at SessionGuard-Talk?

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.