I haven't heard about address' changing midway through a session (ie,
without reconnecting), but it's worth pointing out that there will be a few
other reasons why this isn't a good idea:

1. if they have to reconnect, they're near guaranteed to have a new IP

2. with most big ISPs, all users may *appear* to have the same IP... so any
of them could hijack the session?

The only way to test if IPs ARE changing is to get/borrow an AOL account,
and create a page which you can refresh 30 times over an hour, looking at
the IP address' each time.  That should confirm/deny the problem.

But I wouldn't be relying on a remote IP for anything... they're too

Justin French

on 29/08/02 7:29 AM, Joseph Szobody ([EMAIL PROTECTED]) wrote:

> In a portion of a website, I have implemented user authentication and
> management using sessions. When a user first logs in, the $REMOTE_ADDR is
> stored is a session variable SESSION['ip']. On each of the protected pages, a
> header.php is included with the following code:
> if ($SESSION['ip'] != $REMOTE_ADDR){
> header("Location: error.php?err=2");
> die;
> }
> As you can see, this is an attempt to see if someone is trying to hijack a
> session. The problem is, AOL doesn't like this. Whenever an AOL user logs into
> the website, the session starts successfully, but when the user goes to a
> protected page, he's redirected to error.php?err=2. For some reason, the IP
> address appears to be changing.
> Is this a known issue with AOL? Is the IP really changing from page to page?
> That seems weird. Any way around this, or must I stop using this security
> approach?
> Thanks,

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to