--- ../../drupal-4.5.2.dist/includes/session.inc	2005-01-10 20:35:37.000000000 +0100
+++ session.inc	2005-04-12 01:06:37.000000000 +0200
@@ -9,6 +9,24 @@
 session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
 session_start();
 
+$client_identifier = md5($_SERVER['HTTP_USER_AGENT'] .
+  $_SERVER['HTTP_ACCEPT_CHARSET'] .
+  $_SERVER['HTTP_ACCEPT_LANGUAGE'] .
+  $_SERVER['HTTP_ACCEPT_ENCODING'] .
+  $_SERVER['HTTP_CONNECTION']
+  );
+
+if (!array_key_exists('CLIENT_IDENTIFIER', $_SESSION)) {
+  $_SESSION['CLIENT_IDENTIFIER'] = $client_identifier;
+}
+if ($_SESSION['CLIENT_IDENTIFIER'] != $client_identifier) {
+  watchdog('warning', "Possible hijack attempt: " . $_SERVER["REMOTE_ADDR"]  . " has a changed client identifier for '$user->name' using UA '" . 
+                       $_SERVER['HTTP_USER_AGENT'] . "'- session terminated."  );
+  session_destroy();
+  session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
+  session_start();
+}
+
 /*** Session functions *****************************************************/
 
 function sess_open($save_path, $session_name) {
@@ -52,6 +70,7 @@
 
 function sess_destroy($key) {
   db_query("DELETE FROM {sessions} WHERE sid = '$key'");
+  unset($_SESSION['CLIENT_IDENTIFIER']);
 }
 
 function sess_gc($lifetime) {