This won't work because some ISP's will assign a new IP every few minutes or with each request. I'm thinking of AOL.
On Wed, 23 Jan 2002 18:46:50 -0500, SpamSucks86 wrote: >The idea of building a website is largely to accommodate as large a >portion of your visitors as possible. I'm not worried about people >bookmarking sessionID's, but what if someone copy/pastes the URL to a >friend and they use the section. My friend gave me an excellent idea, >and that is to check their IP and store the IP in the session. If >the IP >doesn't match, then start a new session. This would be perfect, >because >there's a double check. If someone disconnects to the internet but >never >closes their browser, I don't think they should be allowed to >continue >their session anyway, they should be required to login again. > >-----Original Message----- >From: Nick Wilson [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, January 23, 2002 3:35 AM >To: [EMAIL PROTECTED] >Subject: Re: [PHP] Need opinion On sessions - Cookies mandatory? > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >* and then Jason G. blurted.... >> If cookies do not work, then you must have a session_id appended to >the >> URL. HTTP is a "stateless" protocol. So every time you make a >request via >> HTTP, you must let PHP know what the session_id is either through >cookies, >> or url query strings (or possibly posted with a form). > >Yep, now I'm with you. The amount of times you'd see that kind of >ugly >URL would be fairly minimal in most situations as most users these >days >aren't even aware they *can* disable cookies. > > >> >> disable cookies, but appending the session ID could be a >>security >risk. >> >> Consider this: Someone is viewing a page and says "oh cool, I >>want >Joe >> >> to see this". He then copy/pastes the URL, sessionID and all, to >Joe, >> >> who then loads up the page using his friend's SessionID. With >cookies, >> >> this would not happen. >> > >> >Not a problem. The session is *destroyed* as soon as a user closes >the >> >browser. >> >> A session will only be *destroyed* if it uses a cookie. PHP never >knows >> when you close the browser, but the browser will remove the cookie. >Next >> time you fire up the browser, it will not send the cookie, and a >different >> session will be started. > >Sure. But there is some kind of clean on the host machine right? You >couldn't expect to continue a session a week later because you've >bookmarked a URL containind a SID. >I think this is controlled by something like a timeout var in the >php.ini. > >> In my personal experience, using cookies only has not proven to be >>a >> problem. Your call. > >When you say using cookies only do you mean 'requiring' the user to >have >cookies enabled? > >- -- > >Nick Wilson > >Tel: +45 3325 0688 >Fax: +45 3325 0677 >Web: www.explodingnet.com > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) > >iD8DBQE8TnW3HpvrrTa6L5oRAthOAJ0WOpUWC5fFMokhYF2QsaQaQolp+wCfQWHL >03BrqRN2kLf+VWC/tzDSHho= >=Gek0 >-----END PGP SIGNATURE----- > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
