Chris Shiflett wrote: > How do sessions help against this? Well, they don't solve the problem > entirely, of course, but the unique ID you pass around won't be the same > unique ID *every* time that user visits the site. So, you at least have > a good chance of making the window of time that an imposter has to work > with very small.
If you want to avoid even this small window, just store on a db file the session numbers you give away, along with the IP address of the user who got it. Then when you get a new request for that session check the IP you are getting it from and you are 100% sure the guy is who he says to be. There is one side-effect, though. Users on unstable dial-up lines do lose their sessions when they get disconnected and call again. It may have an impact on sales. Alberto Kiev -- @-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@ LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu? lOrD i'M sHiNiNg... YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE tHe TeSt, YeS iT iS ThE tEsT, yEs It Is tHe TeSt, YeS iT iS ThE tEsT, yEs It Is....... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php