Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71553 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49249 invoked from network); 25 Jan 2014 09:51:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Jan 2014 09:51:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6 Received: from [217.147.176.204] ([217.147.176.204:52156] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1C/12-35033-43983E25 for ; Sat, 25 Jan 2014 04:51:49 -0500 Received: (qmail 10442 invoked by uid 89); 25 Jan 2014 09:51:45 -0000 Received: by simscan 1.3.1 ppid: 10434, pid: 10439, t: 0.0568s scanners: attach: 1.3.1 clamav: 0.96/m:52 Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 25 Jan 2014 09:51:45 -0000 Message-ID: <52E389B9.4060707@lsces.co.uk> Date: Sat, 25 Jan 2014 09:54:01 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23 MIME-Version: 1.0 To: internals@lists.php.net References: <52E31FB6.9010408@ajf.me> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Session IP address matching From: lester@lsces.co.uk (Lester Caine) Andrey Andreev wrote: >>> Yes, one can write a custom session handler, but there's a number of >>> >>problems with that: >> > >> >Correct me if I'm wrong, but why would you need to do that? Surely, this >> >would suffice: >> > >> > if (!isset($_SESSION['ip'])) { >> > $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; >> > } else if ($_SERVER['REMOTE_ADDR'] !== $_SESSION['ip']) { >> > session_destroy(); >> > } >> > > - I don't want the IP stored in session data, I already know it. > - filemtime() result of the potentially targeted session id is > changed, extending its expiry time > - multiple set-cookie headers > > Basically, I want it to be perfect.:) Since nowadays the vast majority of 'users' do not have fixed IP addresses, and the methods used to share IP's on mobile phones is making that even more of a problem. It has already been pointed out that this can't be a default. Personally I keep track of the visitor IP's in a database and so have my own handling and I'm fairly sure most frameworks also do that. So I do not believe it leaves many options that could be considered safe to use as an alternative? So to > So much needed in fact, that I'm surprised PHP made it to 2014 without that > option, especially since there already is 'session.referer_check'. the answer is - because no one can come up with something that is safe to use? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk