Alternatives to IP session binding

I'm not sure if the idea of binding IPs to sessions is a good one.

What are the alternatives?

Currently what I have is this:

• Browser sends session ID
• Server checks if session hasn't expired

But what if a third party somehow finds out the session ID? Should I care about this开发者_运维知识库 possibility? Binding the session to an IP would make such a session forgery more difficult, but there are cases when more than one user might appear with the same IP.

I'm clueless! :(

NEVER write your own session handler, use whatever comes with your platform. Limiting to ip address not a good idea. IP addresses change for legitimate reasons, such as if the user is behind a load balancer. Further more, what if they are a free wifi network? Then everyone gets access.

I prefer to bind the user-agent instead of the IP for reasons stated above. Binding the user-agent makes it a little more difficult to replay the cookie.

SSL is great to prevent "Man-in-the-middle attack" but it's not a magic "secures it all" solution. If your website is vulnerable to XSS, the cookies are not safe (and by extension, the session id).

Also: watch out for session fixation.