Posted by Jerry Stuckle on 10/24/53 11:34

Simon Dean wrote:
> John wrote:
>
>> Simon Dean wrote:
>>
>>> And while Im at it... should I be using PHP's built in sessions, or
>>> use my own functions that I've chobbled together from various
>>> sources and takes advantage of also validating IP Addresses???
>>
>>
>>
>>> I don't like to use things just because they're there.
>>
>>
>>
>> I know what you mean, but if it's there and it's working well, then
>> use it.
>>
>> PHP sessions do work very well - except for one problem I found.
>>
>> MS IE kept using a different session ID for every page it requested !
>>
>>
>> I solved this by creating my own session ID and storing it in a
>> cookie, so I could get it back and force the same session ID each
>> time.
>
>
> Hrm... apart from setting a cookie and hoping (since you can't rely on
> PHP sessions), what you do isn't too different from what I do... I just
> pass a session id either in a cookie, or on the url, and verify it's
> still active with the right ip address...
>
> which brings me I think onto my next question... another poster said
> tcpip addresses are unreliable in some circumstances, so what else can
> you use to verify that someone else hasn't stolen someone elses
> sessionid and is using that account?
>
>
> Thanks
> Simon

Simon,

You really can't.

The other person is right - IP addresses are not reliable. Some ISP's
(especially AOL), corporate networks, etc. are set up with redundant
proxies. Every incoming request can potentially come from a redundant
proxy. And the IP address you see will be that of the proxy, not the
original requester.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]