using IP address for secure login

Hi everyone

I'v seen some people just pass the login to others by sending PHPSSID to others like this:

www.example.com/index.php?phpssid=somevalue

Then I thought it might be possible to prevent this by checking the IP address on each page BUT i'v heard that some ISPs change the users IP address on each page (like AOL).

How could it be possible? Is it even true? And what do you think about checking the IP?

Thanks

re: using IP address for secure login

you don’t need to check the IP to overcome this. first you have to disable session id transfer via url and second if you limit the session (cookie) lifetime enough, the session is gone before anyone from outside can access the session (you can also change the session name).

re: using IP address for secure login

Dynamic IPs are very common these days, as apposed to static IPs. One changes, the other doesn't (respectively). You should not make assumptions about a user based on their IP address.

re: using IP address for secure login

Thanks for the answers
It realy helped