Jerry Verhoef wrote:

> It is possible to "steal" a session because a session_id is usually based on
> a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the
> session. And check them every page. 
> kind regards,
> Jerry

Do you null the user if the IP changes?  IPs can change during a user's 
session, so I wouldn't base the validity of the session solely based on IP.

Michael Kimsal

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to