Again, session_start() isn't enough.


Don't use IP address for identification!


Assume the session identifier is captured.


Complicate impersonation.