session hijacking prevention with tokens, what am i missing here?
i am researching session hijacking, so far i have read this line of code 5 times (or variations of it)
$token = md5(uniqid(rand(), TRUE)) ;
$_SESSION['token'] = $token;
the idea behind it seems that if i add a token (unpredictable value) to the session, that then a session hijacker that stole my session (cookie theft for example) will not be authenticated because his token is incorrect.
now as far as i understand, session data is stored within the server, and only the session id is stored on the client (usually in a cookie), so if this cookie is stolen, then the hijacker will automatically inherit the token rendering its (the token's) protection useless...
what am i missing here?!?!?