Hi everyone, I have made a class which handels sessions using a mysql database. So far, to resume a session it checks for a cookie with a session id and then fetches all the session info from the database related to the session id belonging to that cookie. If the user selected 'remember me' when they last logged in, it will log them in automatically. Im thinking that it should cross-reference something else as well as the session id from the cookie to make it more secure. Something like the users IP address. However, some user's ip address changes a lot. I would be grateful for any help.
Cookie is just enough, you do not need to cross reference something else it would make session handling even more complicated without increasing security. If you want to make it more secure then when user tries to access page where he can change important data like password show him login page and ask him to confirm his identity despite he is logged in, this is common practice in auction services.
Right... just hash the password with sha256 and salt it. Then after, lets say 10 mins passes, auto generate an ID and update the session. What you are doing is an "IP Lockdown", which in my opinion will become pretty annoying, especially for AOL users. Pretty much use http://www.php.net/manual/en/function.session-name.php because many people leave PHPSESSID on it's pretty much a common mistake, this won't really be very effective but it will hold them back for a tiny bit. Just keep updating IDs and matching up. that's all