Posted by Simon Dean on 10/16/44 11:34

John wrote:
> Simon Dean wrote:
>
>> And while Im at it... should I be using PHP's built in sessions, or
>> use my own functions that I've chobbled together from various
>> sources and takes advantage of also validating IP Addresses???
>
>
>> I don't like to use things just because they're there.
>
>
> I know what you mean, but if it's there and it's working well, then
> use it.
>
> PHP sessions do work very well - except for one problem I found.
>
> MS IE kept using a different session ID for every page it requested !
>
>
> I solved this by creating my own session ID and storing it in a
> cookie, so I could get it back and force the same session ID each
> time.

Hrm... apart from setting a cookie and hoping (since you can't rely on
PHP sessions), what you do isn't too different from what I do... I just
pass a session id either in a cookie, or on the url, and verify it's
still active with the right ip address...

which brings me I think onto my next question... another poster said
tcpip addresses are unreliable in some circumstances, so what else can
you use to verify that someone else hasn't stolen someone elses
sessionid and is using that account?


Thanks
Simon

[Back to original message]