http://www.addedbytes.com/article/better-sessions/Latest comments on Better Sessions on AddedBytes.comhttp://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by SlyK ( <a href="http://www.toohit.com/">http://www.toohit.com/</a> )<br /><br />Thanks, it's interesting idea. I'll be using sessions with flash component, that wouldn't use standart session features of PHP.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by ADD ( <a href=""></a> )<br /><br />I'm creating a CRM for a small company and its actually verry usefull because we know evrey one has a static ip adress.^^:)http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by CubeCart Skins ( <a href=""></a> )<br /><br />Thanks! I found this tutorial invaluable!http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by J ( <a href=""></a> )<br /><br />I intended to leave a comment like the one below as soon as I saw the premise of this article, albeit for a different reason. Or perhaps, really, it is for the same reason. When I had a satellite, my IP jumped around quite a bit which I discovered while writing the user management feature for an interactive online video gallery. It seems like a good idea at first, but it takes consistency for granted and that is on thing you cannot do on the Internet. ;) I suppose it could cause issue for a modem user as well..http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Leif Burrow ( <a href="http://unforgettability.net">http://unforgettability.net</a> )<br /><br />The proxy issue is definately a problem if you are running a comercial website where you can't just choose your users. I used to run into problems with AOL and Yahoo DSL users a lot and it took me a while to figure out why. <br /> <br /> I've heard of some developers just verifying the first octet or two. It's not as secure as verifying the whole ip but it's better than nothing and it usually takes care of the proxy problem. <br /> <br /> A more ambitious developer could attempt to identify the isp and adjust accordingly if it's known to use multiple proxies. You could start by just checking for the big well known ones like AOL. To find the rest record the ip-addresses anytime a session is dumped due to the ip changing. Then as users complain, you can use these records to discover the rest. This would still inconvenience some users but if you take care of the big ones up front and keep on it they will probably be very much in the minority.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Bill Getas ( <a href="http://ms.com">http://ms.com</a> )<br /><br />Not every solution is right for every person. This could have applications in a smaller, more controlled, and more secure site. From experience, 'IP hopping' by users in a shared pool is rather common. Out of a site I run with 10,000 solid users, perhaps 500 use AOL (hey, they're a relatively bright bunch), so at any given look-see of online users, there's almost always one online whose IP changes with every click (fills up the logs!) This is a good solution and addition to the site, but its scope is not for the general public.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Paul d'Aoust ( <a href="http://www.heliosville.com">http://www.heliosville.com</a> )<br /><br />If I'm not mistaken, this script doesn't tie a session ID to an IP address in the sense that each IP can only have one session ID -- it merely uses the IP as *part* of the session ID, so that it can always check whether the session user is still coming from the same IP. This would open the door for exploiters coming from behind the same gateway, but in cases like that the exploitee could walk down the hallway and punch the exploiter in the face.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Gavin ( <a href=""></a> )<br /><br />Many ISP's proxy or use few public addresses, so most of their users will seem to have the same IP address. Creating a session from an IP address is a bad idea.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Thomas Rendleman ( <a href="http://www.NationalCreditRebuilders.Com">http://www.NationalCreditRebuilders.Com</a> )<br /><br />It seems a viable option. The IP address I would tend to not do, however you can compare other information such as the browser etc. The odds in getting through all the different matches would be slim.http://www.addedbytes.com/article/better-sessions/comments/http://www.addedbytes.com/article/better-sessions/comments/Comment by Steve ( <a href=""></a> )<br /><br />Who cares about them. AOL users sux. Don't support their nonstandardized cr@p.