> hijacking? I thought of checking IP address on subsequent requests,
> but apparently this cannot be relied on because of HTTP proxies etc.
but isn't better than nothing ?
I think a session should be from the same IP all it's life, and this
should be build into php. Internal networks will be seen as the same
ip, so session can be stolen by somebody else in the same internal net,
but not from outside of it.
Now tell me what's wrong with my opinion, b/c it's too simple to work :)
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]