Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81111 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51606 invoked from network); 25 Jan 2015 07:47:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Jan 2015 07:47:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.53 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.53 mail-qg0-f53.google.com Received: from [209.85.192.53] ([209.85.192.53:46522] helo=mail-qg0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1F/B1-36889-99F94C45 for ; Sun, 25 Jan 2015 02:47:37 -0500 Received: by mail-qg0-f53.google.com with SMTP id a108so3318074qge.12 for ; Sat, 24 Jan 2015 23:47:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=LjYhLjJBwfZ+bjNH+1JMf2rV8a71wELU/bVQu5b+r8k=; b=YXcbc07wAe+rJrruiJyyUevmbQqCF1mMC/Bk2cfC6g+rf6nQZ0nPRXkDR6dk5Lwmae KZB2g1ZkOGPEBn6y5ZyNiFNw6BVU944MypwNmtZFi+mFyvCONlef6dqTvN7C+k6vNjTx qnxZMOj0WHRiCihANOyfgZnmyIaXxjHXtmeCFJ4Ckq2lpB3NhRkw+pSUyo3dT5e/FMtd YAvNmAwZeJEtiPhbsUn9GFtiSrR/xNgRW40KvgTALFjAZ10Qr+9oRNDtV9LDUU8X9Vmx MpNPcKsmyKs2acxeJ3GOIKiJhP5ELPXwHYYCr2SwM8G6HAgH4BTSsPpYXKgeiSuOmWro u9Rw== X-Received: by 10.224.2.9 with SMTP id 9mr24494297qah.66.1422172054610; Sat, 24 Jan 2015 23:47:34 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.93.70 with HTTP; Sat, 24 Jan 2015 23:46:54 -0800 (PST) In-Reply-To: References: <54C1D562.1080402@gmail.com> <54C1EE77.7040000@gmail.com> <54C2DE03.6090708@gmail.com> Date: Sun, 25 Jan 2015 16:46:54 +0900 X-Google-Sender-Auth: zSYlFXddbRixY82-wO3BXBGJZh0 Message-ID: To: Andrey Andreev Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c22ccc1febf8050d753c22 Subject: Re: [PHP-DEV] Removing base class from session handler From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c22ccc1febf8050d753c22 Content-Type: text/plain; charset=UTF-8 Hi Andrey, On Sun, Jan 25, 2015 at 11:54 AM, Andrey Andreev wrote: > To prevent session fixation? > > Doesn't matter, I was just giving you an example. > If app may assume that clients have constant IP, then IP may be used to prevent stolen sessions. Unfortunately, we live in mobile world, so this solution may be used under very limited environments. Using save handler for this purpose may trigger error from unknow file/line. I would advise to write following code somewhere in usual locations. if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']) { log_security_breach(); session_regenerate_id(); session_unset(); die_or_trigger_error_if_it_is_needed(); } Anyway, if anyone would like to implement something fancy in save handlers, beware that it may result in consequences that you may not be willing to have. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c22ccc1febf8050d753c22--