Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71542 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19949 invoked from network); 25 Jan 2014 01:50:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Jan 2014 01:50:36 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.216.195 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.216.195 mail-qc0-f195.google.com Received: from [209.85.216.195] ([209.85.216.195:42677] helo=mail-qc0-f195.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 68/81-11879-B6813E25 for ; Fri, 24 Jan 2014 20:50:35 -0500 Received: by mail-qc0-f195.google.com with SMTP id x13so1858573qcv.2 for ; Fri, 24 Jan 2014 17:50:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=OHi1lZaKULXmNDR1QyX+gxA9dc6yQFPgb0RvDWfcyVg=; b=RLi7SyBsNTDjGZg+4J7QhMrrM2L1J/j72qBuGf8J3F2hdheRsgXxHyK7XWiRwgH4Fe b/14ONKW4inMsUuoCAf2ETf2KpbMSoqhNSBzB8GEcv2Zv20P7h2vsWgAUx2ImYwhMTXj x0DHQGrUpEZvadpaOSxMHUQXPCrWt4eXEorss= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=OHi1lZaKULXmNDR1QyX+gxA9dc6yQFPgb0RvDWfcyVg=; b=BfFr6k+te5cWFDLGUeO8eaINUs0xsc9PNEChHzTwJU1swxweVRCa3IWjSk13nulI9s vLktwWDpmNDDnheySVXM3c7EACgUS71NJxD/ttZlVfwPofZBOHmI4kmsxtBtXEPKCQOh 19nJend0nVPf1X+rnDIbHR25qfckDQ63YgYlYnOEiLAfn+0S6/xgsdGQ61nT0oIwwsx2 p3QffERiZECMTyfTdpQGAsEmt+q2MOScix7Fx9b6DxIlBw6a/pAhBwVwSsQXx1s6TLvY dFNrKeCeLF8jMy3RIkwhn/Tm51VXv2d0/Bz0HzmZi1pCx0mRdnrvL9cOtT6oPghX+CHV rWiQ== X-Gm-Message-State: ALoCoQkW6c3kJd3ScSZ7ZQHl0gEjV5vKv7mA5jJGjcxUQnyM2UbsKW0b2oanvPBjQqnqjxtdv9fV MIME-Version: 1.0 X-Received: by 10.140.44.6 with SMTP id f6mr23944739qga.10.1390614632505; Fri, 24 Jan 2014 17:50:32 -0800 (PST) Received: by 10.96.182.98 with HTTP; Fri, 24 Jan 2014 17:50:32 -0800 (PST) In-Reply-To: References: Date: Sat, 25 Jan 2014 03:50:32 +0200 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a113a9cd030b61804f0c1b3f6 Subject: Re: [PHP-DEV] Session IP address matching From: narf@devilix.net (Andrey Andreev) --001a113a9cd030b61804f0c1b3f6 Content-Type: text/plain; charset=UTF-8 On Sat, Jan 25, 2014 at 3:20 AM, Stas Malyshev wrote: > Hi! > > > Yes, one can write a custom session handler, but there's a number of > > problems with that: > > Wouldn't using SessionHandler and overriding just, say, read() and > adding the IP check there solve this issue? You don't have to bother > with implementing the whole handler, it stays the same but you can check > the IP after the session is loaded (or before if you wish, depending on > what you check does). > I'm not aware of a way to override just read(). But even even if I could, how would I avoid breaking the rest of the SessionHandler? The manual implies that read() is where (in userland PHP terms) fopen() + assign file handle + flock() would happen. Doesn't make much sense for that to be possible. On Sat, Jan 25, 2014 at 3:40 AM, Ferenc Kovacs wrote: > > For the record suhosin supports this( > http://www.hardened-php.net/suhosin/configuration.html#suhosin.session.cryptraddr) > but to quote from the docs: > "Keep in mind that this should not be used on sites that have visitors > from big ISPs, because their IP address often changes during a session. But > this feature might be interesting for admin interfaces or intranets." > I agree with that statement, and this is why this can't be a default > behavior, and given how easy is to extend the default SessionHandler, I'm > not even sure about providing an optional implementation for this. > I'm not suggesting that it should be On by default. Otherwise, playing with custom session handlers if fun for me, personally. But trust me when I say this: it is not easy for the majority of people out there. --001a113a9cd030b61804f0c1b3f6--