>> >> I want to prevent one from taking over a session from one who left the >> site >> and left his desk for a moment. >> >> What if that connection were two servers communicating together !? >> Any crooked mind could then steal the latent session and start fire in >> the >> system(s). > > All things that would've been good to know from your first > message, rather than the vague nature in which it was sent. ;-P The question remains the same and the initial problem is still the same. My first concern is to avoid abandonned sessions from beeing stolen. The extention of that problem is automation between two servers, like from branches to the main office. In that case, encryption is not a solution. It doesn't even block cross-browser action. Apache has mod_unique_id that could be usefull but it's not the final answer IMO since it produces a unique ID based on a quadruple built on UTC, the PID, the IP and a counter. That doesn't tell if the socket is still open but only the last request the server satisfied. For small applications maybe a cron like you gave could be a solution but even so, will you set it to run eveny 30 seconds or so ?? I think it could be somewhat heavy for the server. Just imagine 60 simultaneous visitors. I would rely on JS to send an ID every 30 secs or so and wait for a new ID based on the preceeding one. Something like mod_unique_id. Do you know what's used in commerce ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php