Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71587
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71385 invoked from network); 26 Jan 2014 15:46:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2014 15:46:31 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.216.67 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.216.67 mail-qa0-f67.google.com  
Received: from [209.85.216.67] ([209.85.216.67:59204] helo=mail-qa0-f67.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/00-05711-6DD25E25 for <internals@lists.php.net>; Sun, 26 Jan 2014 10:46:31 -0500
Received: by mail-qa0-f67.google.com with SMTP id j5so2271699qaq.10
        for <internals@lists.php.net>; Sun, 26 Jan 2014 07:46:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=dKc5SUHH5orLNlaoZYKN6M0aHL+BkWt/Wb6FFa6bjgA=;
        b=nJTMuC4AJPjrZFPBUVLar9Ik7A50i/3m/q2oTJt/DCYK+spqGc1Zm70yaV6nRtPB6Y
         WVeKgZsaqvrKWDZMZEqcjWXwFRifYihYvKz1YOAo0xG9/QJ8H7VAuCchZohS/O3fK0qZ
         WQa1CmQRBR241eV5Nf5hCvMxaDxa4gAIid92U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=dKc5SUHH5orLNlaoZYKN6M0aHL+BkWt/Wb6FFa6bjgA=;
        b=lyT1Nqyqc5laVeSuRxsJfWxcyIrzbxr3LIiKBphHxqeK5JpN2rTfxYG9qsYAOL7wU7
         MMXt/cv9cjIkO2GETmsC1VN/U/w4lb23jfIrn9hF7dhkhkow8QnfLkVOe5KSghBjL3Kw
         ydrnKMydBqh5uOAQ7hbAD8rOVsm55kSKW9MvqJBncsLr5Z9x9ItCNHZroVi9alWV1sxT
         BmXGV+2hyxkiuL7758w6kUm1FWiV7oiMmXqTV/wACLA4cdM55H1Hg1f6kNFZ/YG/ZBjJ
         Hqy4+x0t5cTWT5A0A9Lrhlax8iepAw+NnDV1ZGKlLzPcrx/1T3AWDeUP+SYrum7xY+jl
         eB4g==
X-Gm-Message-State: ALoCoQmtc5EEylfLFSZMaiTM8bojMDyXPD9gdPBB6jIpFEAl2P+HIDX2Z2/ENC376sFPfXWOeKSD
MIME-Version: 1.0
X-Received: by 10.224.14.2 with SMTP id e2mr8928248qaa.73.1390751187706; Sun,
 26 Jan 2014 07:46:27 -0800 (PST)
Received: by 10.96.182.98 with HTTP; Sun, 26 Jan 2014 07:46:27 -0800 (PST)
In-Reply-To: <CAGa2bXbMQzydCTG=bZ3XLzxgLBSzwQ6BUsJGUUtmx2kf=YEXoQ@mail.gmail.com>
References: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>
	<CAH-PCH71z58Ghhg9koPRM8RXYk1bXWSW_ogJqY1TpUAQK8pu6A@mail.gmail.com>
	<CAPhkiZwsS6wEijXJGHx03f7zf9OFDg9G_2NwMqNDZSmmPsBBZA@mail.gmail.com>
	<52E319F2.8080705@sugarcrm.com>
	<CAPhkiZy7+6hGakv4bXVR2djx18H+s_69OUoyPSjd=JaUVVp61Q@mail.gmail.com>
	<52E3959D.4000103@sugarcrm.com>
	<CAGa2bXZGujJXHpNv3veVg9u8QxRUW=Q__df145x1vJh+KyT3dQ@mail.gmail.com>
	<52E45A5D.7020807@sugarcrm.com>
	<CAGa2bXbDCY3vG-VThsfbRVmZhs7jWzAYu0XDDyq2-WVz_OeAkg@mail.gmail.com>
	<CAGa2bXbMQzydCTG=bZ3XLzxgLBSzwQ6BUsJGUUtmx2kf=YEXoQ@mail.gmail.com>
Date: Sun, 26 Jan 2014 17:46:27 +0200
Message-ID: <CAPhkiZwDgMqHuyTN89_0yJKYnusmELfLR0DV2_i-zoHKg2=GoA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Session IP address matching
From: narf@devilix.net (Andrey Andreev)

Yes, there are a lot of possible cases where IP addresses could be
changed frequently.
Yes, there are a lot of cases where users would be behind a NAT
gateway or a proxy.
And yes, session.match_ip wouldn't be applicable or as useful under
such conditions.

But consider an intranet environment, the future with IPv6 (even if
not that close as we'd like it to be) or just an otherwise appropriate
user base.
I agree that this feature wouldn't be suitable for your general,
public web application, but I think somebody already pointed out that
this would be useful for admin interfaces. How many applications don't
have that? There certainly are use cases.

On Sun, Jan 26, 2014 at 3:08 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi Stas,
>
> On Sun, Jan 26, 2014 at 10:00 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>>
>> On Sun, Jan 26, 2014 at 9:44 AM, Stas Malyshev <smalyshev@sugarcrm.com>
>> wrote:
>>>
>>> > which is really bad thing to do. session_create_id() generate ID using
>>> > the same code PHP generates ID which is much secure than above and
>>> > supposed to be faster than user land script.
>>>
>>> I agree that exposing the ID creation function is a good addition
>>> (actually if it was available I'd probably use it in other contexts
>>> where I need a random token, not necessarily a session ID as such).
>>> Maybe we need even more generic function and have session reuse that
>>> code, too.
>>
>>
>> Although I've written it already, I appreciate any comments for
>> improvement. Do you have idea for session_create_id()?
>> Perhaps, more generic function name and/or move to ext/standard?
>
>
> An idea for session_id().
> It would be better to allow session_id() to set SID regardless of
> use_strict_mode. It's programmer's intention.
>
> Should I make this change from 5.5? It's nicer than now.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>