session security question

[Yeodan]

I'm making an MMORPG browser game.

 

Players need to log in, I use sessions for that.

For now I just use the player number, but I'm planning on using the encrypted password, ip adress and session number too.

 

Should I check this information on every page?

If not, when / where should I?

 

Also is it smart, if it's even possible, to change the session id on every page?

If not, when / where should I?

[cringe]

You really only need to regenerate the session ID when a change in authority occurs, such as when the user signs on. And regenerate it every "x" requests from the client via a counter in the $_SESSION.

 

And include a unique token in every response sent back, via output_add_rewrite_var().  If the next request does not include that token in $GET (URL) or $POST (form) or it's not in the $_SESSION, politely make the user sign in again.

 

And you can have that token "time-out" via another value in the $_SESSION. Set it to time() + 60*10 (10 minutes or whatever) in the $_SESSION when the next response is generated. The next request must be received back with a valid token before time() is greater than that $_SESSION value, or again, ask the use to sign in again or take some other appropriate action.