Posted by John on 10/24/06 11:34

Simon Dean wrote:
> John wrote:
>
>> Simon Dean wrote:
>>
>>> And while Im at it... should I be using PHP's built in sessions, or
>>> use my own functions that I've chobbled together from various
>>> sources and takes advantage of also validating IP Addresses???
>>
>>
>>
>>> I don't like to use things just because they're there.
>>
>>
>>
>> I know what you mean, but if it's there and it's working well, then
>> use it.
>>
>> PHP sessions do work very well - except for one problem I found.
>>
>> MS IE kept using a different session ID for every page it requested !
>>
>>
>> I solved this by creating my own session ID and storing it in a
>> cookie, so I could get it back and force the same session ID each
>> time.
>
>
> Hrm... apart from setting a cookie and hoping (since you can't rely on
> PHP sessions), what you do isn't too different from what I do... I just
> pass a session id either in a cookie, or on the url, and verify it's
> still active with the right ip address...
>
> which brings me I think onto my next question... another poster said
> tcpip addresses are unreliable in some circumstances, so what else can
> you use to verify that someone else hasn't stolen someone elses
> sessionid and is using that account?

A good question - I'm may be getting out of my depth here, but this is
what I understand:

1) if you used PHP sessions (and their own ID's) natively, it would take
care of all that for you, but then you may run into the MS IE problem.

2) as I set my own session ID, I rely on generating a unique ID through
mt_rand() and a time() combination. I must admit, I do no more checking
on it, so it could happen that 2 people get the same ID - I'm just
relying on it being a very small probability...

I'm going to look into using the original PHP generated session ID, but
keep it in my own cookie !


Are you looking for a VERY secure method for doing something ? If so,
maybe you should be looking at something else, a secure server page ?
HTTPS ?

John.

[Back to original message]