Need help understanding sessions

[eluser]bretticus[/eluser]
How are you testing? I haven't used this but it seems obvious that this feature is for preventing session cookies from being replayed from another browser/device. It would seem to be an obvious security feature. Are you using Tamperdata plugin or another way to modify the http headers being sent to the website?

Even so, matching sessions on ip or anything else is as easy as storing the ip/user agent as part of the session data and testing it each time. However, it's not a great idea. Even the CI manual warns on using the IP feature:

Whether to match the user's IP address when reading the session data. Note that some ISPs dynamically changes the IP, so if you want a non-expiring session you will likely set this to FALSE.

That means if you have users coming via a proxy array of servers, they may have several IP's (unknown to them.)