On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote: > On the latter I totally agree. To avoid the session snatching you > describe, you can store IP addresses on your site in the database. > You won't solve proxyserver-problems with this though. So what about > the following approach: > * a user logs on and you issue a session, as part of the uri > * when the user requests another page, you fetch the session > from the uri, check it against your database and (let's > assume it's correct) you allow access but while issueing > a new session
Interesting idea. I assume that you're keeping the session key/ID in the URL, right? Does it break if someone hits "back" (and goes to a page that's full of URLs with on old session ID in them) and then clicks on one of them? -Andy