Joe Quinn
Additionally, you can change the session hash with every page hit, to some other totally random hash. If someone steals your session, they had better act on it immediately, lest you visit another page and it changes completely. If your session gets hijacked, you get logged out. When you log in again the attacker loses access.
That will likely cause trouble with concurrent connections aka pipelining: * Client sends request 1 with session id A. * Server receives request 1, verifies A = A, handles the request, sets new hash to B, sends response. * Client sends request 2 with session id A. * Server rejects request 2, because session id mismatch (A /= B). * Client receives response to request 1, sets session id to B. Don't change the session id in the middle of the session. To prevent session hijacking you need to use SSL. Greets, Ertugrul -- Not to be or to be and (not to be or to be and (not to be or to be and (not to be or to be and ... that is the list monad.