Just be cautious if going to check IP, because: 1) The two users could be in the same house or cybercafé, which gives them the same IP. 2) The user could be traveling with a wireless card, his IP would change quite a lot in this scenario. On Tue, Jun 25, 2013 at 9:32 AM, <php@xxxxxxxxxxxxx> wrote: > You should at least check the IP of the client additionally to have some > prove > it is the same client you gave the session-ID. > > And it is better to put the session-ID in a POST-field than in GET. So it > es very unlikely someone passes a session ID around accidently. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
