Unfortunately, in a real world situation, verifying IP address does *NOT* work. On our sites we have the following:
-- AOL. Their outgoing IP isn't necessarily the same IP address throughout the session. AOL assigns IP addresses as needed. -- People behind web caching servers. HTTP can be cached, HTTPS cannot. If you switch between HTTP and HTTPS, a person's IP address will change. -- Clients that have network connections that multiplex multiple pipes. If there are multiple IPs, then the connection may flipflop between the IPs in the session. And those are the most common problems with trying to force the same IP in a session. If you were to use IP to validate a session, it would be best to combine it with the Browser Agent string and perhaps the referrer. If all three aren't what you expect, then it may be a hijack attempt. Just using IP address will cause problems if you run into any of the problems above (and others that cause the IP Address to change during a session) Jaime Bozza > -----Original Message----- > From: Adam Voigt [mailto:adam@;cryptocomm.com] > > You could, on the page where it initially creates there session, > get there IP address and make that a session variable, then in > one of your include files which is called on every page, check to > see if the current users's IP match's the one of the $_SESSION[ip] > variable, if it doesn't, just stop them dead with an exit; statement. > > Course this won't help for people behind the same public IP, but > it's a start. You could also verify against what the browser > identify itself as, etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
