Here are some related threads that might be worth reading. http://forums.digitalpoint.com/showthread.php?t=368906 http://forums.digitalpoint.com/showthread.php?t=365334
ok after reading around i've come up with this strategy.... 1.) When a user first visits my site I set a cookie called status and set it to 1(meaning the user is not logged in) 2.) A user logs in, if the login turns up true I add a row to a sessions table with there ip, and session id. I then change the status cookie to 2(meaning the user is logged in) and i also set a cookie with the session id(should i encrypt that? Also is are there any php functions that generate a completely random string? If so would it be more practical to have a the session id be that but still have the id row for simplicity?) 3.)Next I have a function that takes the session id(from the cookie i set earlier) and check it against all sessions in the session table? If the session is fraudulent I set the status cookie to 1(meaning the user isn't logged in) if it isn't I leave the status cookie at 2(meaning the use is logged in) 4.) then on every page that requires a user to be logged in I check if the status cookie is set to 2.