>> a user could still send a URL with the sessionID to someone else to login as them couldn't they?

yes they could unless you have some way of identifying them. I always used IP.

have you seen this library thread?
[webmasterworld.com...]

IP addresses aren't always constant. That method may work a lot of the time but it certainly isn't foolproof. And don't forget the request may be going through a proxy (e.g. AOL) which would give many users the same IP address.

that's true but it still reduces the possibilities.

No security is foolproof as often fools are the first to get through.

Even the cookies aren't really secure unless you using https.

It's a bit more complicated with IP. With the AOL proxy the same user will send subsequent requests from different proxies (check your logs - you can see it happening). I worked somewhere where the load balancing was done via IP and the site wouldn't work with AOL users because of that.

we had no probs with aol users

we had no probs with aol users

You've had no problems that you know of and if you haven't actually had any, you've been lucky.

no, I actually know we haven't had issues with all of the AOL users that we have

I know the isuues and I was very surprised that we didn't have any problems, but we didn't. It's an anomaly based on previous experience but we had to bind it to IP over https, just how it is and we had no issues with any AOL user that used our site.

strange but true

When using https, does AOL stop bouncing users from one proxy IP to another for each request, and let the IP address 'stick' for the during of the https 'session'? - If so, that might explain things...

Jim

that was the only thing I could figure as to why it didn't happen Jim

our hardware was pretty standard

firewalls
load balancers
ssl accelerators
servers

but those sessions stuck absolutely

So as an extra check then I should record their IP address and if it changes, then I time them out so that they have to login again?

From AOL's webmaster info:

The problem with trying to use the IP address to track access is that there may easily be multiple members assigned to a proxy server. All of the member requests would appear to be coming from one member if you assumed a relationship between member and IP address. In addition, members may be reassigned to a different proxy server during a session.

When I did detailed log analysis (i.e. read them myself) about a year ago (HTTP access) I found the IP often changed for a single AOL user as he/she moved between pages on my site.

Is there some kind of workaround I might be able to use for this then?
Like identifying if they are an AOL user and turn off my IP check.
AT least I could leave the check in there for other users then?

Have a read of this for PHPBB's implementation practice:
[phpbb.com...]

Good article that one.

Should we go back to the original question?

A user turns off cookies, gets the sessionID in the url, mails it to someone else who then continues with their session.

How about insisting cookies are turned on (at least for AOL users).

Even so, I could get around that in 2 minutes because I can read and write cookies in my browser sessions. I could knock up a custom app for a friend (another 2 minutes work) that would do the same and I could then mail him the Cookies session ID.