[eluser]eedfwChris[/eluser]
[quote author="Derek Allard" date="1196311794"]Could I ask that you take another look through the SVN session class please? I believe it does everything you suggest. sess_update() generates a new session id, and is configurable so that you could literally change it every 1 second if you'd like. Additionally, you can use IP address and user agent checks. I'm not denying that these couldn't be spoofed, but as you say, they are further methods that can be employed to enhance the session security. I'm afraid I'm just not following your concerns here.[/quote]
Ah, ok great! I was not aware of this function. The only concern now is storing a created_time for a session in order to tell the actual life of a session (as aposed to just how long since the user's last activity). This is easily implemented outside of the library but it would be nice to have the session library work that out for you automatically.
