Binding of IP address with Session id

Question

To prevent the session fixation problem, how can we bind the IP address with the session id? Is it possible to bind the session id with that of the IP address??

Answer 1

I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.

It is better to secure your session with page tokens to prevent highjacking a session.