Again, *%session_start()%* isn't enough. Don't use IP address for identification! Assume the session identifier is captured. Complicate impersonation.