Jerry Verhoef wrote: > > > It is possible to "steal" a session because a session_id is usually based on > a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the > session. And check them every page. > > kind regards, > Jerry
Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. Michael Kimsal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
