On Sat, 7 Jun 2003, Bix wrote:
> Monty,
>
> The best way to avoid SID "Hijacks" is to assign an IP variable, and an
> expiration....
>
> session_register("USERIP");
> $_SESSION['USERIP'] = $_SERVER['REMOTE_ADDR'];
> session_register("EXPIRES");
> $_SESSION['expires'] = time() + 900; // 900 seconds (15 mins)
[snip]
I've not followed this thread (nor do I want to get involved
with his touchy and difficult topic) but must make a general
comment on the above code. One should never mix use of the
deprecated session_register() function with $_SESSION. If
you're going to use $_SESSION, also use it to assign session
variables. There is NO need for use of session_register() in
the above code.
>From the manual (various versions of this text is also in
the manual):
"If you are using $_SESSION (or $HTTP_SESSION_VARS), do not
use session_register(), session_is_registered(), and
session_unregister()."
And btw, EXPIRES != expires.
And lastly, there is now session_regenerate_id() although it
won't set session cookies until PHP 4.3.3.
Regards,
Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
