No, IP is not a good method of validating. IPs can change in a session and there are ways to spoof them. This method is about as secure as it comes, it is very similar to what we are doing for an internal file transfer site for our company (a mortgage banker).

HTTP is a stateless connection meaning there is no possible way to know for absolute certain that you are talking to the same person. The only way you can know is to have very hard to spoof data to validate on both ends, this data can always be stolen or faked. To circumvent this the data should change as often as possible so that a cracker's attempt will prove useless before long.

I personally stick away from server side sessions, they have harder to find insecurities and have been less realiable in regards to consistancy from my experience.

__________________