Chris Shiflett wrote:

> How do sessions help against this? Well, they don't solve the problem 
> entirely, of course, but the unique ID you pass around won't be the same 
> unique ID *every* time that user visits the site. So, you at least have 
> a good chance of making the window of time that an imposter has to work 
> with very small.

If you want to avoid even this small window, just store on a db file the 
session numbers you give away, along with the IP address of the user who 
got it. Then when you get a new request for that session check the IP 
you are getting it from and you are 100% sure the guy is who he says to be.

There is one side-effect, though. Users on unstable dial-up lines do 
lose their sessions when they get disconnected and call again. It may 
have an impact on sales.




LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to