Hi I do a few basic things that improve security - its still not strict security but
What i do is store both the remote IP and the user agent HTTP parameters in the session when the session is created. Whenever a new request comes in with that session I check that those havent changed. If they havent I allow access and update the 'last access time' (for expiry) - if not they are logged out and the session closed. This means that any user disconnected from their ISP has to login again, which i consider acceptable. It also means that if they copy an url and paste it into another browser they will end up logged out, again it does not happen often and people should accept it as the price of security. It does mean that someone on the same proxy and using the same browser could still do something but that is already a lot fewer people. I also check referrer to make sure people are coming from a page that makes sense. If you wanted to be more sophisticated you could store where an user has been recently (the 5 last URLs maybe) and check that the referrer is one of them. If the referrer is not a page where the user has been then things are fishy and you log them out. If you need even better security there's ssl, or storing unique, random'challenge-response' style tokens into pages that have to be sent back on the next connection Probably many people on this list have more sophisticated systems in place. I'd be interested to know too :) Joelle Nebbe
