Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71564 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84901 invoked from network); 25 Jan 2014 18:40:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Jan 2014 18:40:52 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com Received: from [209.85.217.176] ([209.85.217.176:59861] helo=mail-lb0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 50/00-19300-23504E25 for ; Sat, 25 Jan 2014 13:40:50 -0500 Received: by mail-lb0-f176.google.com with SMTP id w7so3445363lbi.35 for ; Sat, 25 Jan 2014 10:40:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=8zJwJhFGUHWn32JBL/LTrlwcq5gN9frYNQsYTFvRCx0=; b=EybC1XD6D+i7AdCXN120YYU3GirUAGPGpn/sP9axhlCudm3DQ3u559TVFGIQQpvkTn wKKglb1lutvqr4IUEOM0SfM0D6RF9OAd/K7kC9qeX6LLKdrz+p/o4IhoKdGc36Y5tXWO +HzhkqKpy/ri3rl4chnzjzZEqALG1ukl6SJWL4ZtI2FhXdwOQ4QEZNZIJeyf9alo0x3q KUTXRktjQyaSpni7RySxl0zKmG0F05fdnJYubrZFNm+o+lB9JuI1YX1+hQReLxgfPeh4 Sxb65AxLcyDKKCJ87qrBfNr84ZxqtixYzP/hn9v+YiiMGHWObGFgL4uerRrotFRmI6+X mAug== X-Received: by 10.112.14.34 with SMTP id m2mr12125535lbc.13.1390675247241; Sat, 25 Jan 2014 10:40:47 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.132.134 with HTTP; Sat, 25 Jan 2014 10:40:07 -0800 (PST) In-Reply-To: <52E3959D.4000103@sugarcrm.com> References: <52E319F2.8080705@sugarcrm.com> <52E3959D.4000103@sugarcrm.com> Date: Sun, 26 Jan 2014 03:40:07 +0900 X-Google-Sender-Auth: hmYvA7qvIpVavAJBXDdFOVBOZDw Message-ID: To: Stas Malyshev Cc: Andrey Andreev , PHP Internals Content-Type: multipart/alternative; boundary=001a11c36c501c209704f0cfd036 Subject: Re: [PHP-DEV] Session IP address matching From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c36c501c209704f0cfd036 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Sat, Jan 25, 2014 at 7:44 PM, Stas Malyshev wrote: > > Still, that is not optimal. The desired effect is to call the session > > file something like: > > > > __ > > I'm sure there's a reason why you want that, but I'm not sure I'm seeing > a generic use case for this for core. Why would most of the core users > care how the session files are named and require them named in a > specific way? > I have client who want to distinguish session by session ID. They don't want to store IP in session name. They would like to know creation and modification time w/o actually reading session data for performance reasons. > If you want to limit access to sessions to specific IPs only, there > already is an easy way to do it, by overriding SessionHandler. If you > want to make sessions stick to IP, there's also pretty easy way to do it > too. So I wonder - why change the core if it can already easily be done > with what we have? The reason why I made session_create_id() is mainly for security reason. Without it user would something like $new_session_id = sha1(uniqid()); which is really bad thing to do. session_create_id() generate ID using the same code PHP generates ID which is much secure than above and supposed to be faster than user land script. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c36c501c209704f0cfd036--