Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69328
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60121 invoked from network); 25 Sep 2013 03:53:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Sep 2013 03:53:02 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com  
Received: from [209.85.215.46] ([209.85.215.46:52887] helo=mail-la0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B8/00-59863-C1E52425 for <internals@lists.php.net>; Tue, 24 Sep 2013 23:53:01 -0400
Received: by mail-la0-f46.google.com with SMTP id eh20so4398479lab.19
        for <internals@lists.php.net>; Tue, 24 Sep 2013 20:52:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=AcItMYIMZ67fmY0fEin8OpcHMDtFn72uQyB88ycC41A=;
        b=ImZiluWpB6wa/8Ly+Q+5q59+L+zfW2hIaKCqwRf8T0HjBjg7xvD3Fga9IQqD7zgUVY
         KtEi/8/xQtquYkuEVs94Qkl6u3ewVVjZeIgLiV/w3v6F36KvsEmH2BlT1p96iE4ytABk
         t8e5nfBrx0c4PVgTFAsGJxVj0gsnt3ALZwEvM4fY0Q9klZCOfXO2DIh48sImKc9DFLXX
         ft97fR05eCBG4Vcu38zX1MJy4zNS49Mc4TGxhpxFh64yv/NmVfA7Q0KRcclzz4J31HC0
         bwoRhg1kPYvqFLRtGd8O6hy3ncMnY/XixvAe9xJLmLXbdzJE/wlVDJhkybIKtVlrLtFs
         S1gQ==
X-Received: by 10.112.14.102 with SMTP id o6mr9480644lbc.28.1380081176518;
 Tue, 24 Sep 2013 20:52:56 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Tue, 24 Sep 2013 20:52:16 -0700 (PDT)
In-Reply-To: <CAFWS2+EocvSsyQ2q4v+EvBSn+++kdurZ3XP8odeAzyAXde9pAQ@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CAFWS2+EocvSsyQ2q4v+EvBSn+++kdurZ3XP8odeAzyAXde9pAQ@mail.gmail.com>
Date: Wed, 25 Sep 2013 12:52:16 +0900
X-Google-Sender-Auth: NDoYwIPkFJIIX0zI8XQ4MG8DICw
Message-ID: <CAGa2bXZD7V+r5zDqO9_XdnRLyseG-fYa2nuhcP-PQHi-76VTrA@mail.gmail.com>
To: Ronald Chmara <ronabop@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c37aba49a65e04e72d306e
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c37aba49a65e04e72d306e
Content-Type: text/plain; charset=UTF-8

Hi,

On Tue, Sep 24, 2013 at 12:46 PM, Ronald Chmara <ronabop@gmail.com> wrote:

> When you have a group of front-end termination points in a pool, proxying
> requests off to hundreds of machines for thousands of applications, tying a
> session to any IP is a headache. IMO, sessions are supposed to be tied to
> users, not any given inbound IP that can, and may, jump between different
> routers, proxies, NAT hosts, etc.


Session is tied to specific user(browser) regardless of IP unless session
ID is hijacked.
Renewing session ID does not matter. Regenerating session ID when IP has
changed
would help users to notice session hijack. This is the sole purpose of
regenerating
session ID when IP has changed. I think only few apps do this now.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c37aba49a65e04e72d306e--