Thanks all for your replies .. It's pretty much what I already thought, a really secure way of handling sessions there is not. Though most of the most interesting information came from Jason (Yes! I'd love to see your custom session handler .. if be it only for inspiration to the one I'm planning to write soon) and Mike .. this issue is one that bothers me also.
I'm not on AOL but my IP also can change at any time. It's not common, usually I hold the same one untill I dial my cable provider again .. but how often does this IP change happen and does other ISP's also do things like that? Wouter -> -----Oorspronkelijk bericht----- -> Van: Jennifer Goodie [mailto:[EMAIL PROTECTED] -> Verzonden: zaterdag 13 september 2003 0:37 -> Aan: Wouter van Vliet; PHP General -> Onderwerp: RE: [PHP] Session stealing, .. -> -> -> > 93 # When deserialized we are called and need to -> check if the -> > stored IP address equals the client's -> > 94 function __wakeup() { -> > 95 global $Log; -> > 96 if ($_SERVER['REMOTE_ADDR'] != -> > $this->Night['IP']) { -> > 97 $Log->Warning('IP Address -> changed during -> > sleep and wakeup, will clear userdata'); -> > 98 $this->Data = Array(); -> > 99 }; -> > 100 } -> > -> > Upon sleep it stores the IP and time in the session data, and -> > when it smells -> > coffee my object wakes up, checks if he's still being used on the -> > same host -> > and if not the userdata is plainly cleared. -> > -> -> I hope none of your site visitors are on AOL as the IP can -> change between -> page requests for AOL users. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
