http://www.ilovejackdaniels.com/article/better-sessions/Latest comments on Better Sessions on ILoveJackDaniels.comhttp://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Leif Burrow ( <a href="http://unforgettability.net">http://unforgettability.net</a> )<br /><br />The proxy issue is definately a problem if you are running a comercial website where you can't just choose your users. I used to run into problems with AOL and Yahoo DSL users a lot and it took me a while to figure out why. <br /> <br /> I've heard of some developers just verifying the first octet or two. It's not as secure as verifying the whole ip but it's better than nothing and it usually takes care of the proxy problem. <br /> <br /> A more ambitious developer could attempt to identify the isp and adjust accordingly if it's known to use multiple proxies. You could start by just checking for the big well known ones like AOL. To find the rest record the ip-addresses anytime a session is dumped due to the ip changing. Then as users complain, you can use these records to discover the rest. This would still inconvenience some users but if you take care of the big ones up front and keep on it they will probably be very much in the minority.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Bill Getas ( <a href="http://ms.com">http://ms.com</a> )<br /><br />Not every solution is right for every person. This could have applications in a smaller, more controlled, and more secure site. From experience, 'IP hopping' by users in a shared pool is rather common. Out of a site I run with 10,000 solid users, perhaps 500 use AOL (hey, they're a relatively bright bunch), so at any given look-see of online users, there's almost always one online whose IP changes with every click (fills up the logs!) This is a good solution and addition to the site, but its scope is not for the general public.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Paul d'Aoust ( <a href="http://www.heliosville.com">http://www.heliosville.com</a> )<br /><br />If I'm not mistaken, this script doesn't tie a session ID to an IP address in the sense that each IP can only have one session ID -- it merely uses the IP as *part* of the session ID, so that it can always check whether the session user is still coming from the same IP. This would open the door for exploiters coming from behind the same gateway, but in cases like that the exploitee could walk down the hallway and punch the exploiter in the face.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Gavin ( <a href=""></a> )<br /><br />Many ISP's proxy or use few public addresses, so most of their users will seem to have the same IP address. Creating a session from an IP address is a bad idea.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Thomas Rendleman ( <a href="http://www.NationalCreditRebuilders.Com">http://www.NationalCreditRebuilders.Com</a> )<br /><br />It seems a viable option. The IP address I would tend to not do, however you can compare other information such as the browser etc. The odds in getting through all the different matches would be slim.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Steve ( <a href="http://">http://</a> )<br /><br />Who cares about them. AOL users sux. Don't support their nonstandardized cr@p.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Zeeshan ( <a href="http://None">http://None</a> )<br /><br />What about Aol users. I heard their ip address constantly changes from webpage to webpage?http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by Laurent ( <a href="http://">http://</a> )<br /><br />I tend to disagree. This is article does *not* explain how to have a better session, it show how to create a *broken* session. You can't rely on IP as statued by Petr.http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by J.H ( <a href="msn.com">msn.com</a> )<br /><br />isn't this better & simple : <br />$_SESSION['IP'] = $_SERVER['REMOTE_ADDR']; <br /> <br />TO MAKE SURE OF THE SESSION : <br />if($_SESSION['ip'] !== $_SERVER['REMOTE_ADDR']) <br />{ <br />// GO OUT <br />}http://www.ilovejackdaniels.com/article/better-sessions/comments/http://www.ilovejackdaniels.com/article/better-sessions/comments/Comment by phpaquilla ( <a href="www.phpaquilla.net">www.phpaquilla.net</a> )<br /><br />Setup requires for session.autostart in the php.ini file to be turned off.