Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69340
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81529 invoked from network); 26 Sep 2013 01:33:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2013 01:33:39 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.41 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.41 mail-la0-f41.google.com  
Received: from [209.85.215.41] ([209.85.215.41:48682] helo=mail-la0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/D6-46303-2FE83425 for <internals@lists.php.net>; Wed, 25 Sep 2013 21:33:39 -0400
Received: by mail-la0-f41.google.com with SMTP id ec20so398658lab.0
        for <internals@lists.php.net>; Wed, 25 Sep 2013 18:33:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=xKVGPLOhWpJ2jPFYM7J8YAJPAdLAFeO9KOEyel0PQgs=;
        b=Hjof9OFyg8U/5QSpNHxCTCsMODWX6ZxJZG3uTv8OlCXrlENO6qeleGzpCvlMHrR7j8
         ZVJJ8O4P3DsOat/QJcCcxr8m0nYbSBwBI+aQQwWPMwluo3uFM9gR1dTwkL55VDdN7yLw
         l/B8aqqoO2qcQfJy6Oxewg4KF+/Pv9m9wAjfRYy9PVRY1TH+YYF8XV4wePz9BoqlqAdQ
         k94WIpdMEIHIZC7RcN0cVTJviS+2LVqnpe7y7WoMyEX+HoAw/t//CzlWGuJsPEc2AoV6
         /tJH0fq9JNE9OtsnM88o8dEwZS2QfYHcfEMh1FY+Gd7ZT5ljM8S3HaxTuGIIBoYUcVWp
         xLdw==
X-Received: by 10.112.51.166 with SMTP id l6mr1769321lbo.5.1380159215669; Wed,
 25 Sep 2013 18:33:35 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Wed, 25 Sep 2013 18:32:55 -0700 (PDT)
In-Reply-To: <CAGbiJu9o9i5Kwd-q0LHLDPvrO35tYQSVMX8wnPsQu-gcUe_zvQ@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CALrkBjZNgkiSzXU86RKrLOBwKx1bQhT9oKmYiR324MGWOYWj=g@mail.gmail.com>
 <CAGa2bXaOKrU=UP1CENv1rb9B1bE4B7GMCaJNoiYsa3C5iA40HA@mail.gmail.com> <CAGbiJu9o9i5Kwd-q0LHLDPvrO35tYQSVMX8wnPsQu-gcUe_zvQ@mail.gmail.com>
Date: Thu, 26 Sep 2013 10:32:55 +0900
X-Google-Sender-Auth: pCF8BlqnXNkbyipSRI7kdxec-is
Message-ID: <CAGa2bXYf3qh9nUWqxX59gTgxXRgo=K-AA95eYJE8sf9w5eg48w@mail.gmail.com>
To: Madara Uchiha <madara@tchizik.com>
Cc: Mike Willbanks <pencap@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113366bcc896fb04e73f5bdc
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113366bcc896fb04e73f5bdc
Content-Type: text/plain; charset=UTF-8

Hi Madara,

On Thu, Sep 26, 2013 at 7:49 AM, Madara Uchiha <madara@tchizik.com> wrote:

> Why couldn't this be implemented on userland again? I don't feel this
> is a language level issue.
>

PHP is not only language, but also meta framework.
It is better to think as how framework support session. IMHO.
I suppose there aren't many PHP frameworks that implement
session manager by itself.

Any users may implement this by themselves. It's not difficult.

session_start()
if ($_SESSION['IP'] !== $CLIENT_IP) {
   // $CLIENT_IP depends on configuration
   $_SESSION['IP'] = $CLIENT_IP;
   session_regenerate_id(true);
}

The motivation is not make things easier, but to encourage users
use more secure session management. Session ID must be regenerated
when event happens, e.g. login. Session ID should be regenerated
periodically to reduce hijack risk, too. Users should regenerate session
ID anyway. Why not support "should/must be done" operations?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113366bcc896fb04e73f5bdc--