Stopping session hijacking

Question

I have been contacted by a hacker saying there gonna take my site down using session hijacking he has said that my text boxes are session hijacking vulnerable.

Is there anyway to protect text boxes from session hijacking Im using this to escape and protect from sql injection.

Here is my form

      <form name="hide" action="hideboxupdate.php" method="post">
          <input type="radio" name="yes" value="1" />
  Yes<br />
  <input type="radio" name="no" value="0" />
  No
  <input name="submit" type="submit" value="Submit" />
        </form>

Then here is my hideboxupdate.php

<?php

$yes= mysql_real_escape_string($_POST['yes']);
$yes2 = strip_tags($yes);




$no= mysql_real_escape_string($_POST['no']);
$no2 = strip_tags($no);
?>
             <?php

             if (isset($yes2)) {





   $result3333 = mysql_query("UPDATE users SET hide_box='1' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());  

echo "Users now can not see your user box";
}

 if (isset($no2)) {


$result3333 = mysql_query("UPDATE users SET hide_box='0' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());  

echo "Users can now see your box on your profile";

}
?>

is there anyways to protect from session hijacking ???

Answer 1

make an md5 of the session, browser data and ip and put in in the database, on every page load check if its still the same, if not destroy the session.

Answer 2

When you send the page with the form, include a hidden input with a random string that you also write to user's record in the database, something like this:

 <input type="hidden" name="csrf" value="0432985732409857243"/>

When the user submits the form, you verify that the form's hidden data csrf matches the value you stored in the database. If the csrf matches, that means the update is good and you also delete the csrf; if the csrf fails to match, then you don't do the update.

This protects the user because only he will be able to submit that form, and only once.