> Also, ISPs (like AOL) who use farms of proxy caches will change a users > apparent ip during a single session. (i.e. concurrent requests may come > from different ips).
The real IP address can be tracked in most cases (say, using the HTTP_X_FORWARDED header an others) but I am not really sure that we should put the logic for that in the PHP engine itself. Users can add the additional PHP code to their libraries. Anyway, you can change the session id from the PHP code itself. I am more afraid of several applications (web sites) sharing the same session directory. Can a sessionid from one site be used as a sessionid for the other site residing on the same server (provided that session files are stored in the same directory)? From all the tests I've done - it can. This would allow an intruder to construct session data with any kind of variables and then switch to the other application with arbitrary privileges. ASP-s are most vulnarable here. If two instances of the same applications are running on the same server, then the administrator of one application can quite possibly become the administrator of the other... -- Ivan Ristic, [EMAIL PROTECTED] [ Weblog on PHP, Software development, Intranets, and Knowledge Management: http://www.webkreator.com ] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
