Posted by Michael Vilain on 12/30/06 09:54

In article <1167456419.216407.102120@n51g2000cwc.googlegroups.com>,
larry@portcommodore.com wrote:

> Jerry Stuckle wrote:
>
> >
> > VERY BAD IDEA!
> >
> > First of all, there are providers like AOL who have multiple servers.
> > Every time a user accesses the page they may come in on a different IP
> > address.
> >
> > And many companies have one server for the entire company (or at least a
> > site). Anyone coming into your site would be coming from the same IP
> > address. Since the two most likely places to intercept the packets are
> > on either end of the link and you know your server's end is secure (or
> > at least hope it is), this provides no protection whatsoever. Worse, it
> > bugs some users while providing a false sense of security for others.
>
> Interesting I didn't realize that the IP address could change for some
> users in the middle of a session; thanks (I had got the tip from
> another page a while back guess it wasn't that great of a resource.)
>
> I guess there isn't a good verification methgod of "you are still you"
> without user intervention then?

Create a "session key id" when the first hit occurs. Store the session
ID in MySQL along with a date/time stamp and any serialized data you
want saved between sessions. Use the serialization features of PHP to
store state between pages. If the user still "holds" the session key
and it hasn't expired, that's them even if their IP address has changed.

There's no way to serialize multiple sessions on the same machine as the
browser stores them usually as cookies. If you disable cookies, none of
this will work and you'll have to kick such users out, but that's your
decision on if you want to require cookies and perhaps Javascript in
order to use your site. There will be some ultra-paranoid users who'll
flame you for requiring this, but that's something you'll have to
decide. I don't see any other way to do this.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

[Back to original message]