> The point of doing it is, even if someone gets your SID, they 
> can't just paste it on to the URL because they don't have the 
> IP that matches that session, so when they go to that page, 
> your include file detects this, and stops them.

Definitely a problem.  Which is why I recommend multiple checks (IP
Address, Referrer, Browser - especially browser) to verify a connection.
It's highly unlikely all three of those would change.  But if IP Address
changed and the referrer and Browser stayed the same it's possibly the
same person.

(You could also do a little check on how different the IP Address is and
base it off of that)

Or, if you want to make it more difficult and only accept cookies (which
makes it harder for the average joe to accidentally hijack a session),
PHP 4.3 will have "session.use_only_cookies" as a variable.

Jaime Bozza

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to