PHP Session Cookies fail with users changing IP

Question

I have a login script for a small application that works by storing session cookies and checking them on each page to make sure the user is logged in. One of the two users w

Answer 1

By default the PHP Session does not account for IP changes. It's only based in the cookie value.

So perhaps maybe there is some customized code in your web app that invalidates the session when a user changes the IP address.

Answer 2

Are session cookies in someway tied to IP addresses?

No. As long as the browser is connecting to the same IP name serverside it doesn't matter if the clients address changes or goes via a different proxy.

It's more likely that something is getting cached where it shouldn't. (assuming you are doing no validation against IP address).

Have you got your webserver configured to log session ids against the request/client/user agent? (i.e. in the access log)

C.