I lock the ip address.
Does this mean than user can only login in with the same ip address? Or will the user logout and have to re-login to get a new session?
if (isset($_SESSION['last_ip']) === false) {
$_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SESSION['last_ip'] != $_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}