> > Maybe they aren't complaining. Maybe they don't know why it's happening, if > > it is. If a 99% solution is good enough for you, then use it. It really > > doesn't matter to me. > > A 99% solution is what I strive to get, between javascript and CSS > incompatibilty's between browsers, all kinds of HTML, table and form > tags looking different between systems, and everything else which breaks > design compatibility between the two, the programming side, having the > IP check is great, with referer check the original user and the hacker > who gets there SID just have both be runnign IE if it was a browser > check, I'm willing to live with the possibility that someone could lose > there session (though it hasn't happened yet) and if it does maybe we'll > look at a different way to do it.
Yes, overall, a 99% solution is all we can hope for. But all I'm saying is why even check the IP address? What added security does this give you? The hard part is hijacking the session ID. If you can figure out someone's session ID, then I'm pretty sure it wouldn't be hard to figure out their IP and browser type, also. It's not going to stop someone who is dedicated and just adds in extra checks that are 99.9% _always_ the same for regular users. and if they are different, you still can't tell if it's a hacker at a different IP address or a user who just switched IP addresses. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
