Chris Shiflett wrote:
GamblerZG wrote:
I think it's still reasonable to restrict a session to a single IP.
No, it's not, for all of the reasons Richard mentioned and more.
I agree that using only IP to identify session is bad.
Using only SID is ok.
Using SIDs that are tied to a single IP is even _more secure_, since the
possible attacker would need to have exactly the same IP as a victim of
session hijacking. This comes at a price of a small inconvinience for
dial-up users (since they would need to login on each reconnect), but I
think such price it reasonable.
IMO, the best way is to re-generate SIDs on each request, but such
method will decrease perfomance of a script.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
