[!--quoteo(post=356064:date=Mar 18 2006, 12:23 AM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Mar 18 2006, 12:23 AM) [snapback]356064[/snapback][/div][div class=\'quotemain\'][!--quotec--] Once a session is created it is [b]associated with that client and that conncetion to the server[/b] - these sessions stay alive til the browser closes. [/quote] What do you mean by "it is associated", I thought the only association between a client and a server, is the IP address. I have been reading a tutorial online: [a href=\"http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/\" target=\"_blank\"]http://www.devshed.com/c/a/PHP/Creating-a-...P-Login-Script/[/a] "Users with shell access to the web server can scan valid session id's if the default /tmp directory is used to store the session data. " If the session IS associated with that connection, then why is it possible for a hacker to browse through valid session IDs? When a session is created what is generated and where is it all stored? if you could just explain at the most fundamental level possible it would be a great help thanks