> IP match makes no sense. Someone's ip can change dramatically from one > click to the next due to dhcp leases timing out, roaming from one wireless > gateway to the next, coming through a round-robin dns batch of proxy > servers, etc.
i quote myself: p.s. storing "IP/USERAGENT/whatnot" on the server, matching it with the SID would probablly decrease the number of session hijackings, i just dont know if that behaviour should be the default one. imo, letting the user change it in php.ini would be more appropriate in case somebody see's a problem inside this? *php.ini* -> ie, set by admin/owner.. maybe ini_set() would also be nice. i ofcourse see your point in not matching ip, but if you dont want session hijackings, you really just do have theese options.. personally you can allways write this in 5 lines of php code which is just in a standard include file somewhere, to start the session and check useragent/remoteaddr inside the $_SESSION vars if they match the current visitor.. and people do that. if the useragent changes then its almost certain that you have a session hi-jacking (or an idiot pasting an url with the SID from browser1 to browser2), which is something we dont want, but with browsers today we dont get very many useragents (or unique ones..), the trick should be to get something UNIQUE from the browser, something that doesnt change (or atleast, shouldnt) the ideal sollution is to make atleast the useragent check, because it SHOULDNT change, and this should be default and non-configurable... ofcourse you can have two machines with the same browser and useragent (and you acctually have lots of those), but still you eliminate *some* risk of session hi-jacking, making it still work in an environment you suggested the ip match should be implemented too, but trough a php.ini switch, since i see how that behaviour might not be desired from your comment above, i would default it to off thou, let the user/admin/whatnot change it if they desire to do that. -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
