Yes, that's better, but it does guarantee that some users will not be able to use your site. The user might be sitting behind a proxy that uses a different IP address with every request. AOL users, for example, have a different IP address almost every time they connect. Thus, if anyone connects to your site using an IP address that someone else has used, they'll gain access to the other person's session.
You want to use some form of random session ID that times out. One caveat, though: do not use sequential IDs. If someone connects and has a session ID of "307920" and the previous person had "307919", then someone can easily change their cookie value to hijack someone else's session. Random session IDs that time out in a relatively short period of time stand the best chance of avoiding a session hijacking issue.
Also, I should mention that you want the session start time to be stored on the server and not relying on the "-expires" key in your cookie. You maintain control over the session timeout yourself and you don't have to worry about someone changing their clock on their computer (or worse, having a non-standards compliant browser ignoring the timeout value for the cookie).
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
In reply to Re: Re: Re: Re: (not so) Invisible Cookies
by Ovid
in thread Invisible Cookies
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |