> The point of doing it is, even if someone gets your SID, they > can't just paste it on to the URL because they don't have the > IP that matches that session, so when they go to that page, > your include file detects this, and stops them.
Definitely a problem. Which is why I recommend multiple checks (IP Address, Referrer, Browser - especially browser) to verify a connection. It's highly unlikely all three of those would change. But if IP Address changed and the referrer and Browser stayed the same it's possibly the same person. (You could also do a little check on how different the IP Address is and base it off of that) Or, if you want to make it more difficult and only accept cookies (which makes it harder for the average joe to accidentally hijack a session), PHP 4.3 will have "session.use_only_cookies" as a variable. Jaime Bozza -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php