My site is under a brute force attack in which the attackers are attempting to gain access to user accounts. The bots do not have a user agent. I have a system in place that blocks a person from signing in if they exceed 3 attempts per account in under 10 minutes.

I also made it check for a user agent, and if not, exit.

My question is: Are sessions only stored in browsers? What I'm thinking is that they are using a script executed via command line.

I've implemented this as well:

if(!isset($_COOKIE[ini_get('session.name')])) {
header("HTTP/1.0 404 Not Found");
exit;
}

Is there anything else I can do to prevent these attacks?

A session variable's content is stored on the server, however, the session is identified by a session ID which is stored at the client and sent with each request. Usually the session ID is stored in a cookie, but it can also be appended to URL's.

There's quite an interesting read on session hijacking on Wiki and also one at PHP Security Consortium that should give you a better understanding as to what hijacking is about and how to prevent it.

There are a lot of methods to help prevent these attacks, I've pointed out three:

• Use PHP's session_regenerate_id() after the user successfully logs in. This creates a new session ID, different from the one that was created when they first visited the public/safe area, if there was a session started of course.
• Record the user's IP address, session ID and user agent when successfully logged in. Check the IP and user agent for every request and if the IP and agent doesn't match for this session, make them log in again. Beware though, sometimes a user's IP can change and may annoy somebody. Also be aware that a user agent can easily be spoofed, too.
• Use SSL/TCL to hide the information sent in a request.