> On that note, here are a few things you might want to consider if you > want to make sessions more secure: > > - use only cookies for sessions. (session.use_only_cookies = 1) This > prevents the session ID from *ever* being added to the URL. URLs get > logged -- by apache, by proxy servers, by user bookmarks :) -- and if a > URL contains a session ID then you have that mentioned problem where a > session can be easily revived after the user closes the browser > (effectively session hijacking, intentional or not). This might be the way to go for an intranet application, like Hwee is going to do, but not for a website with a wide audience because you are reliant on the user's client (browser) accepting cookies. One could log the user's user agent ident string or his ip address and check those with every page request for further security. Anyway, very good pieces of advice. Thanks, Hans! Regards, Torsten -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php