It doesn't make sense to use IP addresses as a type of user identity check...
Sure it might work %90 of the time...but what about the %10 of time someone spoofs an IP?
If a solution isn't effective 100% of the time...what is the point in using that tehnique?
Here are somethings to consider:
If your on a shared host...storing sesisons in a database is a good idea...however, if your PHP scripts are insecure, SQL injection would make it possible to retrieve that session data. So if you have a lot of third party scripts (ie: phpBB, and so on) and your not sure of their security policies (do they escape characters, etc) perhaps it's a good idea NOT to store your session data in database, but perhaps in a file in your document root and protect that file using
.htaccess I'm willing to bet far fewer scripts have holes allowing direct file access exist than do SQL injection scripts...
This is something only you can determine based on your unique situation...
If session data is only storing things current page, last viewed records, etc...
There is no reason you cannot use generic sessions, as security isn't really an issue...
And
scottayy your comparing the session ID or magic cookie on the client machine to that stored in a database... *is* IMHO a secure way of doing business...
I am sure there are ways of further enhancing security, like regenerating a session ID every request, so any given session ID (stored on client as cookie) can be used only once...but then...why not just use SSL? Solve the problem of sending data over the wire...thr right way...
Regenerating session ID's might work (sorta) but your driving the nail into the board using a screw driver here...
Meaning...yes you might get the job done and the solution works...but christ...what a waste of time...
If you have reason to believe your netwrok traffic is being sniffed...perhaps it's best to look into it deeper than just PHP level security...and if security is that big of a priority...perhaps it's time to upgrade to a server which allows SSL???
If you are worried that someone might obtain a copy of the cookie using some sneaky javascript...thats a problem with your code, so solve the problem where it starts not where security becomes an actual problem...
Cheers
