Well, I'm develloping a class in PHP to handle sessions on a framework level (so I can use it in several applications), but is currently focused on
Chameleon.*
Well, I tried to avoid the use of session files, since this may be a fast solution but aren't always reliable (memory quota, void session handling, session hijacking).
What I do is generate a session ID with session_start, fill the session file with a boolean (to avoid the void session automatic destruction, but keeping the file as sleek as possible) and store all data to the database. With several features I can allow custom session timeouts, session suspension (to recover your session in the next login), etc. The problem is that authentication of session owner is somewhat tricky.
To start a session, people are supposed to log in. Once they do the session is saved to the database, ie it becomes a persistent session. Using the session ID I link the user to that single stored session. But the SIDs can easily be hijacked, either by URL appending or by cookie faking.
This brings me to the question about more relyable checks to verify that the user who is identifying itself with a certain SID, really is the user the SID was generated for. But... How to handle proxy IPs? how to get a unique value from a client?
I know there is no perfect way to protect users from sniffing and hacking into their accounts, but what would be the most reliable methods to make it hard to hackers and keep it simple in the code? (this means do not require me to install and use SSL libs, because it would really be overkill in certain circumstances, imo).
Would someone know how to make it the best way possible?
Actually post your thoughts, even if they're not proved to be bulletproof
__
* Some more free advertising 
/ –
PHP security concerns
![[Image: dt2.0v2.png]](http://thedt.net/img/dt2.0v2.png)
Happy Birthday,