Re: Session IP address matching
On Sat, Jan 25, 2014 at 2:11 AM, Andrey Andreev <[email protected]> wrote:
> Hello,
>
> ext/session lacks the option to check the visitor's IP address and this is
> a much needed feature for pretty much everybody writing web applications
> today. I'll call it 'session.match_ip' for now.
> So much needed in fact, that I'm surprised PHP made it to 2014 without that
> option, especially since there already is 'session.referer_check'.
>
> Yes, one can write a custom session handler, but there's a number of
> problems with that:
>
> - Most people don't know enough to do it properly, more specifically - how
> to handle concurrency.
>
> - The documentation available is pretty limited.
>
> - Unless I want another type of storage, why should I bother trying to
> replicate ext/session just for this one option?
>
> And of course, there are a few pre-made handlers in PECL, but those are
> afaik no longer maintaned and not feasible if you'd be distributing your
> end product instead of just running it yourself.
>
> I'd write an RFC about it, but I know it doesn't stand a good chance
> without a patch to go with it and I'm not comfortable enough with my C
> knowledge to do it myself. It should be simple enough in theory though ....
>
> - Create an MD5 hash of REMOTE_ADDR and do one of these:
>
> - Prepend it to the session file name
> - Create a directory named after it under session.save_path
> - Have the option to specify it in session.save_path itself, like it's
> done with N and MODE
>
> It shouldn't cause any BC breaks and the only issue I can think of is loss
> of existing sessions when the option is being turned On/Off. I wouldn't be
> bothered by that really, it should be expected.
>
> So, how do you guys feel about this? Would anybody be willing to write the
> patch (I'll do the RFC)?
>
> Cheers,
> Andrey Andreev a.k.a. Narf.
>
For the record suhosin supports this(
http://www.hardened-php.net/suhosin/configuration.html#suhosin.session.cryptraddr)
but to quote from the docs:
"Keep in mind that this should not be used on sites that have visitors from
big ISPs, because their IP address often changes during a session. But this
feature might be interesting for admin interfaces or intranets."
I agree with that statement, and this is why this can't be a default
behavior, and given how easy is to extend the default SessionHandler, I'm
not even sure about providing an optional implementation for this.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Thread (29 messages)