Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71559
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain b1-systems.de designates 84.200.69.220 as permitted sender)
Message-ID: <52E3CBBB.6070003@b1-systems.de>
Date: Sat, 25 Jan 2014 15:35:39 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "internals@lists.php.net" <internals@lists.php.net>
References: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>	<52E31FB6.9010408@ajf.me> <CAPhkiZwv_S1DwVhAMKfnzhJD1qycEwowVZ+BG8PTFQLX9GyNsw@mail.gmail.com> <52E3C606.6000301@heigl.org>
In-Reply-To: <52E3C606.6000301@heigl.org>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="HprEskfbH8UQFeodICLCqDOb7nTBmLqv9"
Subject: Re: [PHP-DEV] Session IP address matching
From: lang@b1-systems.de (Ralf Lang)

--HprEskfbH8UQFeodICLCqDOb7nTBmLqv9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 25.01.2014 15:11, Andreas Heigl wrote:
> Am 25.01.14 04:15, schrieb Andrey Andreev:
>> On Sat, Jan 25, 2014 at 4:21 AM, Andrea Faulds <ajf@ajf.me> wrote:
>>>
>>>
>>> On 25/01/14 01:11, Andrey Andreev wrote:
>>>>
>>>> Yes, one can write a custom session handler, but there's a number of=

>>>> problems with that:
>>>
>>>
>>> Correct me if I'm wrong, but why would you need to do that? Surely, t=
his
>>> would suffice:
>>>
>>>     if (!isset($_SESSION['ip'])) {
>>>         $_SESSION['ip'] =3D $_SERVER['REMOTE_ADDR'];
>>>     } else if ($_SERVER['REMOTE_ADDR'] !=3D=3D $_SESSION['ip']) {
>>>         session_destroy();
>>>     }
>>>
>>
>>  - I don't want the IP stored in session data, I already know it.
>>  - filemtime() result of the potentially targeted session id is
>> changed, extending its expiry time
>>  - multiple set-cookie headers
>>
>> Basically, I want it to be perfect. :)
>>
> Hi all.
>=20
> Don't bash me when I'm wrong, but why would you want the IP check for
> the session in the first place? Don't get me wrong, I'm definitely in
> favour of more security, but the issue I see, is the following:
> When a user has an ISP that regularrily changes the IP-address assigned=

> to the user via DHCP the session then is lost, isn't it? So suddenly th=
e
> user is logged of without any apparent reason whatsoever.
>=20
> And if that's not a problem, please take into account the users real
> address and not the address of any proxy that is in between (at least
> when it's possible to determin it). And that involves a lot of header
> checks, whether one or the other is set. And as soon as the appropriate=

> header is not set (which might be the case due to proxy misbehaviour or=

> misconfiguration), you will "only" have the IP of the Proxy. So all
> users behind such a proxy will share the same IP-address. The same goes=

> for users behind NAT in a private network.

We have this security feature in userspace code in Horde 3-5, but it's
of limited value because all installations with corporate network users
need to turn it off (because their IPs are constantly changing).


--=20
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang@b1-systems.de
B1 Systems GmbH
Osterfeldstra=C3=9Fe 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537


--HprEskfbH8UQFeodICLCqDOb7nTBmLqv9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLjy74ACgkQCs1dsHJ/X7BS8gCgxezy9qEfaaAKNLD/bveyP1U6
YeQAn1sXQPTWIAbFIRggEOEaOMDbtbSU
=GI0S
-----END PGP SIGNATURE-----

--HprEskfbH8UQFeodICLCqDOb7nTBmLqv9--