> Yes, overall, a 99% solution is all we can hope for. But all I'm saying is > why even check the IP address? What added security does this give you? > > The hard part is hijacking the session ID. If you can figure out someone's > session ID, then I'm pretty sure it wouldn't be hard to figure out their IP > and browser type, also. > > It's not going to stop someone who is dedicated and just adds in extra > checks that are 99.9% _always_ the same for regular users. and if they are > different, you still can't tell if it's a hacker at a different IP address > or a user who just switched IP addresses.
The point of doing it is, even if someone gets your SID, they can't just paste it on to the URL because they don't have the IP that matches that session, so when they go to that page, your include file detects this, and stops them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
