Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71539
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14883 invoked from network); 25 Jan 2014 01:11:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Jan 2014 01:11:42 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.216.68 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.216.68 mail-qa0-f68.google.com  
Received: from [209.85.216.68] ([209.85.216.68:42122] helo=mail-qa0-f68.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/80-11879-C4F03E25 for <internals@lists.php.net>; Fri, 24 Jan 2014 20:11:42 -0500
Received: by mail-qa0-f68.google.com with SMTP id ii20so1520113qab.3
        for <internals@lists.php.net>; Fri, 24 Jan 2014 17:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=eOf+uvfwxPlF99En3wQFny00+F3FROzjKN4gcndvT6Q=;
        b=Xol6ttvET5kR7sE/lJ7XNPv5tCZRFY6B09RsOCApmz2f+QMd7BZLAnvgCUjs8O4FY5
         5gJ5Ylss8vyAa8qxkWRwKEebBIYPvE766APQapCiubeRpWZDNPKWpDppCNEu5yFaZNdm
         AcfV9mcSMoCyEBpmzjGEjgpoYp2oqkyfV6V3w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=eOf+uvfwxPlF99En3wQFny00+F3FROzjKN4gcndvT6Q=;
        b=En0MrJKQlK96fHAF24rGQUtS9EzH2HMFvvkjcIO85Mm7WyzhaIEttchqINIPyx2GyC
         MV4bCL/69MFEQn91Aj44/7m8V4c66pfub7aDC6AClBKHQlu5Bdx7i6APyOdM6dy5Gv5e
         Gk54SRtxFHdgoDNegbZ2+P68J+PnBAAiQ/yNVEb8ehxCqHo66BfW9pcrEiwu5fbe+LDU
         rx4deGbY2UkrLbDE4eCNoNI3l5G6lR7tJynxQTUxAnY9I6wrdeOx5V8zOAWSnM4semfh
         9fESCVu4F8FUUOXnQCn0bvfk9cPSSSQhywg/ppq+PvhPu2AcDGTT/+oR3xlHs0QW4Zb4
         z+Ww==
X-Gm-Message-State: ALoCoQl3z4x5HeMkvOt/qqKWtnbfOuwGd+zsMH43Tpv97tTzdPIUSFO71T0wC+zwzYR2+x5ZVxmk
MIME-Version: 1.0
X-Received: by 10.140.98.135 with SMTP id o7mr23411818qge.102.1390612297827;
 Fri, 24 Jan 2014 17:11:37 -0800 (PST)
Received: by 10.96.182.98 with HTTP; Fri, 24 Jan 2014 17:11:37 -0800 (PST)
Date: Sat, 25 Jan 2014 03:11:37 +0200
Message-ID: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11394e6e08784c04f0c12860
Subject: Session IP address matching
From: narf@devilix.net (Andrey Andreev)

--001a11394e6e08784c04f0c12860
Content-Type: text/plain; charset=UTF-8

Hello,

ext/session lacks the option to check the visitor's IP address and this is
a much needed feature for pretty much everybody writing web applications
today. I'll call it 'session.match_ip' for now.
So much needed in fact, that I'm surprised PHP made it to 2014 without that
option, especially since there already is 'session.referer_check'.

Yes, one can write a custom session handler, but there's a number of
problems with that:

 - Most people don't know enough to do it properly, more specifically - how
to handle concurrency.

 - The documentation available is pretty limited.

 - Unless I want another type of storage, why should I bother trying to
replicate ext/session just for this one option?

And of course, there are a few pre-made handlers in PECL, but those are
afaik no longer maintaned and not feasible if you'd be distributing your
end product instead of just running it yourself.

I'd write an RFC about it, but I know it doesn't stand a good chance
without a patch to go with it and I'm not comfortable enough with my C
knowledge to do it myself. It should be simple enough in theory though ...

 - Create an MD5 hash of REMOTE_ADDR and do one of these:

    - Prepend it to the session file name
    - Create a directory named after it under session.save_path
    - Have the option to specify it in session.save_path itself, like it's
done with N and MODE

It shouldn't cause any BC breaks and the only issue I can think of is loss
of existing sessions when the option is being turned On/Off. I wouldn't be
bothered by that really, it should be expected.

So, how do you guys feel about this? Would anybody be willing to write the
patch (I'll do the RFC)?

Cheers,
Andrey Andreev a.k.a. Narf.

--001a11394e6e08784c04f0c12860--