Hi ruzam,

The way I usually handle this is by creating a MD5 of several information, including the client IP and a secret passphrase (that can be fixed - always the same, or changed at intervals, in which case all sessions would expire in the end of the period), and using this MD5 as sessionID.

This allows me to verify that the sessionID was generated for the specific IP (and maybe UserAgent, if you use this to create the MD5), and the passphrase makes it harder to generate a valid MD5 key.

To limit the number of connections per IP to a legitime limit I would use something as the Apache::SpeedLimit example given in the Writing Apache Modules book. This would prevent a bruteforce attack to the sessionID.