Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72051
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 709 invoked from network); 3 Feb 2014 07:51:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 07:51:03 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.160.178 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.160.178 mail-yk0-f178.google.com  
Received: from [209.85.160.178] ([209.85.160.178:33374] helo=mail-yk0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 88/04-15628-66A4FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 02:51:03 -0500
Received: by mail-yk0-f178.google.com with SMTP id 79so36978005ykr.9
        for <internals@lists.php.net>; Sun, 02 Feb 2014 23:50:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=+zHrwMGgVZbAYJz0/9jjgehkm2Lxibr94mpjhSfxPCg=;
        b=g1+z88uUhBx+Pj1hZRmZmuu5uolLaxMuF9rSFpWhb+c3aaqEEqEGnQkjt0MGayOvxw
         GYSgdzIPyRgYriyuSBvROj+wYySTlgnP8mwzhxMx1NykJTtMjhXiyv5t1/7ZxdB3g0wn
         iQ3vXxamwLgrFQtaBXiAvXR1g7o0h5f8aJhic=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=+zHrwMGgVZbAYJz0/9jjgehkm2Lxibr94mpjhSfxPCg=;
        b=ceW0NHgEGX5+NufSTkvWLbsDZL6VsWZYJ5ds5UCdnaTDmDRfX8kYw10oJXOM+t3Ypu
         s3xvOId1cUsU1lzvkVioLHekeL7wsCh5w2sXwhEUilZkO0KeoEf6aZl2WEcAZR2ccZ9L
         f5uIg6uIiANbJlTri7zoi2Q2MzI3RygsF0ZaOCaE14X1M3IxxNUWci3QIenDiPLTDouG
         8F8TYAGALG26WT8L5Pz0CDEpRwDChIuZgND3ajorMlNp+IRWwB4HgXNqGuep8ekFeEgy
         zqR9S6dtYSvXzJPLg74/OKBgprRhq3SVihQQHrxN+qytRnIljoBFZbZCl7rs5370C/YJ
         Ak8Q==
X-Gm-Message-State: ALoCoQn2PInwkbGHJlDATk4/gmXSqyykPGLwF4NC/BRjIvK5yeHRjcq+R4yxAwsWfqiwyuYNjtGa
MIME-Version: 1.0
X-Received: by 10.236.162.132 with SMTP id y4mr32735595yhk.16.1391413859593;
 Sun, 02 Feb 2014 23:50:59 -0800 (PST)
Received: by 10.170.144.85 with HTTP; Sun, 2 Feb 2014 23:50:59 -0800 (PST)
In-Reply-To: <CAPhkiZwDgMqHuyTN89_0yJKYnusmELfLR0DV2_i-zoHKg2=GoA@mail.gmail.com>
References: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>
	<CAH-PCH71z58Ghhg9koPRM8RXYk1bXWSW_ogJqY1TpUAQK8pu6A@mail.gmail.com>
	<CAPhkiZwsS6wEijXJGHx03f7zf9OFDg9G_2NwMqNDZSmmPsBBZA@mail.gmail.com>
	<52E319F2.8080705@sugarcrm.com>
	<CAPhkiZy7+6hGakv4bXVR2djx18H+s_69OUoyPSjd=JaUVVp61Q@mail.gmail.com>
	<52E3959D.4000103@sugarcrm.com>
	<CAGa2bXZGujJXHpNv3veVg9u8QxRUW=Q__df145x1vJh+KyT3dQ@mail.gmail.com>
	<52E45A5D.7020807@sugarcrm.com>
	<CAGa2bXbDCY3vG-VThsfbRVmZhs7jWzAYu0XDDyq2-WVz_OeAkg@mail.gmail.com>
	<CAGa2bXbMQzydCTG=bZ3XLzxgLBSzwQ6BUsJGUUtmx2kf=YEXoQ@mail.gmail.com>
	<CAPhkiZwDgMqHuyTN89_0yJKYnusmELfLR0DV2_i-zoHKg2=GoA@mail.gmail.com>
Date: Mon, 3 Feb 2014 09:50:59 +0200
Message-ID: <CAPhkiZwGbx9xZCd2CKmYJuYOFpV95Pm7HUxbs5brBEUYrBZc7w@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Session IP address matching
From: narf@devilix.net (Andrey Andreev)

> If you force this measure on /wp-admin or equivalent, you'll never
> retain customers. (Some frameworks offer this option in userland
> anyway -- plus the absolutely _vital_ ability for the user to turn it
> off him/herself.)

Why is everybody talking like I'm proposing to change this internally
and not leave any option to turn it off? This is a new option,
defaulting to Off.

> A special case where the feature might do more good than harm is when
> both server and clients are on the same LAN with static IPs. If the
> organization is computing/scientific in nature it might be reasonable
> to expect inside jobs using network taps, bespoke interception boxes
> -- or whatever -- to intercept SSL and also hijack per-request session
> IDs (perhaps by timing for end-of-day or something). The extra IP
> check might then be practical protection. But unless the internal
> systems saw seriously high traffic surely a userland implementation
> would work just fine.

Server and clients being on the same LAN is (of course) what I mean
when I mention an intranet. IPs don't have to be static, although they
usually are in such an environment.
I also don't understand why a non-computing/scientific organization
should neglect security. Yes, probablility of inside jobs is
different, but still - one tech savvy employee in a bad mood is
sufficient.

> (My) bottom line is that putting this feature in core is a clear
> recipe for disaster. Most PHP users, let alone the "app deployer" type
> of users, don't know s**t about HTTP or TCP/IP. The moment turning on
> this feature gets mistakenly documented as a best practice on some
> excited newbie's blog, or somebody's downvoted-but-not-deleted
> StackOverflow post, you've caused way more harm than good. Look at it
> this way: if even *Stefan* (Suhosin) recommends conservative use, take
> that caveat very seriously.

So document it properly. User's lack of knowledge shouldn't be a
reason to exclude a feature.

Cheers,
Andrey.