Hi. So I am creating a very advanced session class that I will most likely use in all the website I create that require the use of sessions.
*note - Im using an sql database for this
Now, assuming that I can't use cookies and just have to use a session id that's attached to the url. How can I verify that the visitor IS the visitor who created the session?
Well, I have been reading up and all that.. and I determined to store the original visitors IP address along with the rest of the session stuff in the database.
However there is a problem here that I don't know how I could work around.
I know it unlikely for people that are on the same IP address(such as a shared broadband connection) to wanna be stealing the original users session ID.. atleast to do real damage. But thats not high enough security for me to just go by the chance that they wont be stealing the session id from someone else who is on there same IP.
First off, that was a lot of rambling so if you don't understand what I am trying to explain please just ask.
But anyways, has anyone ever come up with another way to verify that the visitor is the creator of his/her session if someone else may be using there same IP address to access the internet?
Thanks, mike.
