On Wed, August 29, 2007 4:33 pm, tedd wrote: > At 10:52 PM +0200 8/18/07, Michelle Konzack wrote: >>Am 2007-08-17 22:07:47, schrieb Bastien Koert: >>> >>> If cookies are not available, you can either >>> >>> hide the id in the hidden form field element >>> or >>> enable trans_sid to automatically pass the session id in the url >> >>This will be a security risk since Session-Hijacker can grap the URL >> >>Greetings >> Michelle Konzack >> Systemadministrator >> Tamay Dogan Network >> Debian GNU/Linux Consultant > > When the user first generates a session id, grab the user's ip and > store both in mysql. > > In the code, always check the session id against the user's ip before > doing anything. If they don't match with what you started with, then > stop. That should stop most Session-Hijackers, don't you think? > > Cheers, > > tedd > > PS; Back from vacation, and all ready to be retrained. You have just booted all AOL users from your website. They change IP address every request sometimes. IP is absolutely useless for identification. -- Please vote for this great band: http://acl.mp3.com/feature/soundandjury/?band=COMPANY-OF-THIEVES Requires email confirmation. One vote per day per email limit. Obvious ballot-stuffing will be revoked. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php