> On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote: >> On the latter I totally agree. To avoid the session snatching you >> describe, you can store IP addresses on your site in the database. >> You won't solve proxyserver-problems with this though. So what about >> the following approach: >> * a user logs on and you issue a session, as part of the uri >> * when the user requests another page, you fetch the session >> from the uri, check it against your database and (let's >> assume it's correct) you allow access but while issueing >> a new session > > Interesting idea. I assume that you're keeping the session key/ID > in the URL, right? Does it break if someone hits "back" (and goes > to a page that's full of URLs with on old session ID in them) > and then clicks on one of them?
Yep. I think that the back-button is out of the question in such a solution. Of course one could think of yet another scheme that makes it possible to use the back-button. But a more simple solution is to create a back-link on the page. --Frank