: defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
: the user came from my own site, but that can be spoofed. I can log and check
: the users IP address, but that can't be relied upon.
:
: Is there any reliable way around this? Am I missing something obvious?
On the server where you are storing the session ID, also include her
User-Agent and remote IP.
Remote IP has some flaws when a proxy cache is involved. User-Agent stays
the same fairly much through an entire session.
Hopefully they aren't using *exactly* the same browser and IP.
Or use one time session tokens that get reissued after each request and
then invalidated. Breaks reloads and back functionality.
Turu.
--
Stephen Cope - http://sdc.org.nz/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
