It is not generic enough to be implemented in world-wide application, but it can be useuful for intranet or extranets. That's to say cases when you know the infrastructure used by the clients to connect to your server support this strategy.
Yes, I suppose this is true, but if you are building an intranet application you probably aren't going to need this additional security.
I agree with the others -- this belongs in your application. In particular to prevent session fixation (rather than session hijacking) use the session_regenerate_id() after authentication happens. This should prevent fixation.
Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
