Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71558
Return-Path: <andreas@heigl.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68515 invoked from network); 25 Jan 2014 14:11:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Jan 2014 14:11:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=andreas@heigl.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=andreas@heigl.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain heigl.org from 176.9.19.43 cause and error)
X-PHP-List-Original-Sender: andreas@heigl.org
X-Host-Fingerprint: 176.9.19.43 stegro-cos-pro-100.unaxus.net  
Received: from [176.9.19.43] ([176.9.19.43:35450] helo=stegro-cos-pro-100.unaxus.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 50/51-53277-A06C3E25 for <internals@lists.php.net>; Sat, 25 Jan 2014 09:11:23 -0500
Received: from heigl.gw.tgnet.de ([80.72.250.242]:58126 helo=wdv-hg-0-C-07-z9288-Heigl-Andreas.local)
	by stegro-cos-pro-100.unaxus.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256)
	(Exim 4.82)
	(envelope-from <andreas@heigl.org>)
	id 1W73x9-000inQ-4V; Sat, 25 Jan 2014 15:11:19 +0100
Message-ID: <52E3C606.6000301@heigl.org>
Date: Sat, 25 Jan 2014 15:11:18 +0100
MIME-Version: 1.0
To: Andrey Andreev <narf@devilix.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>	<52E31FB6.9010408@ajf.me> <CAPhkiZwv_S1DwVhAMKfnzhJD1qycEwowVZ+BG8PTFQLX9GyNsw@mail.gmail.com>
In-Reply-To: <CAPhkiZwv_S1DwVhAMKfnzhJD1qycEwowVZ+BG8PTFQLX9GyNsw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040702000103030208000709"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - stegro-cos-pro-100.unaxus.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - heigl.org
X-Get-Message-Sender-Via: stegro-cos-pro-100.unaxus.net: authenticated_id: a.heigl+heigl.org/only user confirmed/virtual account not confirmed
Subject: Re: [PHP-DEV] Session IP address matching
From: andreas@heigl.org (Andreas Heigl)

--------------ms040702000103030208000709
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 25.01.14 04:15, schrieb Andrey Andreev:
> On Sat, Jan 25, 2014 at 4:21 AM, Andrea Faulds <ajf@ajf.me> wrote:
>>
>>
>> On 25/01/14 01:11, Andrey Andreev wrote:
>>>
>>> Yes, one can write a custom session handler, but there's a number of
>>> problems with that:
>>
>>
>> Correct me if I'm wrong, but why would you need to do that? Surely, th=
is
>> would suffice:
>>
>>     if (!isset($_SESSION['ip'])) {
>>         $_SESSION['ip'] =3D $_SERVER['REMOTE_ADDR'];
>>     } else if ($_SERVER['REMOTE_ADDR'] !=3D=3D $_SESSION['ip']) {
>>         session_destroy();
>>     }
>>
>=20
>  - I don't want the IP stored in session data, I already know it.
>  - filemtime() result of the potentially targeted session id is
> changed, extending its expiry time
>  - multiple set-cookie headers
>=20
> Basically, I want it to be perfect. :)
>=20
Hi all.

Don't bash me when I'm wrong, but why would you want the IP check for
the session in the first place? Don't get me wrong, I'm definitely in
favour of more security, but the issue I see, is the following:
When a user has an ISP that regularrily changes the IP-address assigned
to the user via DHCP the session then is lost, isn't it? So suddenly the
user is logged of without any apparent reason whatsoever.

And if that's not a problem, please take into account the users real
address and not the address of any proxy that is in between (at least
when it's possible to determin it). And that involves a lot of header
checks, whether one or the other is set. And as soon as the appropriate
header is not set (which might be the case due to proxy misbehaviour or
misconfiguration), you will "only" have the IP of the Proxy. So all
users behind such a proxy will share the same IP-address. The same goes
for users behind NAT in a private network.

So there might be so many exceptions that I wouldn't know whether it'a
security benefit or not.

Or am I completely wrong and didn't get the point? Then feel free to
simply ignore this mail.

Andreas

--=20
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:andreas@heigl.org                  N 50=C2=B022'59.5" E 08=C2=B0=
23'58" |
| http://andreas.heigl.org                       http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca                                               |
+---------------------------------------------------------------------+


--------------ms040702000103030208000709
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFrDCC
BagwggOQoAMCAQICAwwmgTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjA4
MjIwNDM0NDVaFw0xNDA4MjIwNDM0NDVaMFwxFjAUBgNVBAMTDUFuZHJlYXMgSGVpZ2wxIDAe
BgkqhkiG9w0BCQEWEWEuaGVpZ2xAaGVpZ2wub3JnMSAwHgYJKoZIhvcNAQkBFhFhbmRyZWFz
QGhlaWdsLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfpctxYUsO8BeCW
VSKQEBTZG/rebtko/5lT/YdNYNbQEnaa4rsYPdwZnFsoqiw7qXo9KqqYupQnwbpv/zmI9CY0
vnP4sb/7C3+nfVI4wBZzlQDsIkBD2mK9QJxX5i3QvOjFY7kwTasRn+KgHa1cyKWQksxTh/kD
2bdhlVIqPfFszusilARmIrROtngxyFPA8x0DAEsHEKgDO1yDhiPiop34hAt9/Qt2Fzne1z1v
5dPtjNYtjmtAocT6EqogB29h+qopBkUcEFem1JdRcF5grlrhRPR+mcw/u2iqv/2YuUr4W8M1
5XBKjkj9puKp16TWUfT/HBjL2KbyThJG0tMCnuECAwEAAaOCAVQwggFQMAwGA1UdEwEB/wQC
MAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJF
RSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMG
CWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNh
Y2VydC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9r
ZS5jcmwwLwYDVR0RBCgwJoERYS5oZWlnbEBoZWlnbC5vcmeBEWFuZHJlYXNAaGVpZ2wub3Jn
MA0GCSqGSIb3DQEBBQUAA4ICAQCP0cqIgFPOZV0jHbaxA29mlebJO1VDIgC8lulY6vmVSvEq
8su70Gh+urVAimaQ4dHPhLM6XwaCSi97/vsaPyJbwEYxbyFyBbqkl8RjcEumISw3FQew0hEh
pVcvKvj9MRIJV/vpqkE8vrGlODtdL8NXNc/W552DOh+ivU3OwuKZwJycgrTgvZBXYjNYz5yF
me6VZTM74bpstMhrHEUF75/PMWToy0dQ8vSGn1qiolvsd9zfwxLdZQL69RvNEj7EWU+1hxim
N1OIM0HpJLHubeys1Hq8uMNPTjoFwr6Mw83jktJnys9dJwWyfv0gIs6n+sGta28F5OKwNWqH
Pq7VYxu9IsLYzn9y/kGrMdlkGbT4moJAZNQhwF3RgAK5tc219johcKDor7idQadpUUfJfkNC
+c2RZwozkD+NA0W/MoCRLNZF4s5P2BA6MBe+GcZZchF+L+/5JzZD9GIKW810/AEpQHg2ZTpV
+UM70mSLandSx9VWCrLB98Q7e+Kh3jcwSPDcfiGgh8A8Dewavfdk/dATt4fuNGPD+HdNzQ7j
JYWQdGTNVz5NVkGB5UMUik60aYEO6kxqDm/M8pAZNf/V5597HGlpAi/b43tKAamTNB7vUTSv
17Q0DT/CvGj0vErd7uyudgunhFIm0m0bn/HUn7mTQP+KwnAjaHwfCpOioh3eGTGCA6EwggOd
AgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0
Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMJoEwCQYFKw4DAhoFAKCCAfUwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwMTI1MTQxMTE4WjAjBgkqhkiG9w0B
CQQxFgQU7fhINmZBd+Yje6iwPr+MHntRMH8wbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQME
ASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE
AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj
YWNlcnQub3JnAgMMJoEwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBT
aWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMM
JoEwDQYJKoZIhvcNAQEBBQAEggEAEH8e+gurfyi2pkaHZiTsfza2X6gbo/LOxfxTpa54raSs
tLWX50XvppQxhR8ZtL66TdXXhFVYzzghn3D0Zbo+0dSwJRxVDerpjsYCtUqEjV05h8Jfl78R
Ije0L+Z2NSPXqGVY+wcUE5aXxfm6Vli+W2XfvOdZyUR9QlGyscgWGmxWmmDVr/CN569h8NpY
jnsRovzJDBI1Alz7Q7dgTURX3qY7mFPAoFfCA+Cu8+bnys79juLIH9VSRibQbP6hpntSJTY1
/N0wrrqz7WEFZpYtBUBDIuiPZoWHADMjgMyeVYL6iin6IzT8RqZL/7wor6x+VuRFuUrc50At
lF5CRHVViQAAAAAAAA==
--------------ms040702000103030208000709--