Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69366
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79448 invoked from network); 27 Sep 2013 00:09:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Sep 2013 00:09:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com  
Received: from [209.85.217.182] ([209.85.217.182:64217] helo=mail-lb0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 37/48-37010-D9CC4425 for <internals@lists.php.net>; Thu, 26 Sep 2013 20:09:02 -0400
Received: by mail-lb0-f182.google.com with SMTP id c11so1679320lbj.13
        for <internals@lists.php.net>; Thu, 26 Sep 2013 17:08:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=28+Tj0HEUhkFQcWAtalBfgXHWGwxQHtNHgsAe1EmNGE=;
        b=K3VCzWFTj+UKWzHR479S02nqmKK8hEEkIQ+sj92plYte/XJLlQIbu/Pp8bCedty4LW
         9wF7kHudEFyeLkzCZYbPQ3OXFcUB/0YhK8vs8J/Fb2v+Ej47RczE9vIU6qFRF2GLBTuj
         BjUV9ahb1Pg1LmT4riYQetM2oLR/wN9u9X27fFt9fN+xrXaiv2g8V6L3ixhGzAjHk7O7
         CrLsA2iYM7cgiurNjgziiq8kycVOvJClM9Uq8nWmTqCxa0xyT8gx4IhqZocMPei8fwTJ
         BsB1jK9RrPf+259tdv8+soaYaVAYt5CJRxT9zxRdmut9HdvPwbuw16r3HhxOAxStJlZH
         xnLg==
X-Received: by 10.152.3.201 with SMTP id e9mr3010745lae.24.1380240538445; Thu,
 26 Sep 2013 17:08:58 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Thu, 26 Sep 2013 17:08:18 -0700 (PDT)
In-Reply-To: <1417591323.20130926185752@cypressintegrated.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
 <CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com>
 <CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
 <CAGa2bXaULOU5C+yDOys9Vkm1ygOzYb--EVTU4qZ27Zwdm+omXA@mail.gmail.com> <1417591323.20130926185752@cypressintegrated.com>
Date: Fri, 27 Sep 2013 09:08:18 +0900
X-Google-Sender-Auth: vftTSe4_WFU8Dlc_6-v9D2-gcx0
Message-ID: <CAGa2bXbUGTs0p5mkXahr87p1zOLFHduDr2zOffnw8+uAVhstXw@mail.gmail.com>
To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
Cc: Yasuo Ohgaki <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013d14caffaf2204e7524ae1
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e013d14caffaf2204e7524ae1
Content-Type: text/plain; charset=UTF-8

Hi Sanford,

On Fri, Sep 27, 2013 at 7:57 AM, Sanford Whiteman <
swhitemanlistens-software@cypressintegrated.com> wrote:

> > Users who are concerned for this situation should disable it. Users
> > who are concerned security should accept this case.
>
> I assume "users" are as we understand them here, i.e. me.
>
> But as a developer-user I would likely want to empower my end-users to
> turn off this feature themselves. With high-volume sites (not that I
> really have any anymore, but a guy can dream) there isn't going to be
> a one-size-fits-all regarding connection quality, but there can be a
> default INI setting and then a function that we can call to override
> it. Paranoid users will turn/leave it on.... any user in a sketchy
> connection situation will turn it off (per session or for all their
> future sessions).
>
> Which is kind of why this is sounding more and more like a nice
> discussion... about a userland solution.


Besides the issue with unstable connection, we have URL based
session. When URL based session is used, this feature should be
disabled as pages are cached by browsers.

Even if this change is made, it would not be a default and there would be
INI for client IP header or variable. So no need to worry for being default.
(Did I missed "not" for "not a default" in previous mails? If I did, my
 apologies.)

BTW, if connection is unstable and an app force user to logout,
is it going to be a problem? It would depend on message displayed, but
I guess users think it is due to unstable connection. If mobile apps are
native, almost all apps store username/password or some credential
that automatically reconnect to service. Therefore, I suppose it
wouldn't become issue. I might be too optimistic, though.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e013d14caffaf2204e7524ae1--