On Sat, Jan 25, 2014 at 3:20 AM, Stas Malyshev <[email protected]>wrote:
> Hi!
>
> > Yes, one can write a custom session handler, but there's a number of
> > problems with that:
>
> Wouldn't using SessionHandler and overriding just, say, read() and
> adding the IP check there solve this issue? You don't have to bother
> with implementing the whole handler, it stays the same but you can check
> the IP after the session is loaded (or before if you wish, depending on
> what you check does).
>
I'm not aware of a way to override just read().
But even even if I could, how would I avoid breaking the rest of the
SessionHandler? The manual implies that read() is where (in userland PHP
terms) fopen() + assign file handle + flock() would happen.
Doesn't make much sense for that to be possible.
On Sat, Jan 25, 2014 at 3:40 AM, Ferenc Kovacs <[email protected]> wrote:
>
> For the record suhosin supports this(
> http://www.hardened-php.net/suhosin/configuration.html#suhosin.session.cryptraddr)
> but to quote from the docs:
> "Keep in mind that this should not be used on sites that have visitors
> from big ISPs, because their IP address often changes during a session. But
> this feature might be interesting for admin interfaces or intranets."
> I agree with that statement, and this is why this can't be a default
> behavior, and given how easy is to extend the default SessionHandler, I'm
> not even sure about providing an optional implementation for this.
>
I'm not suggesting that it should be On by default.
Otherwise, playing with custom session handlers if fun for me, personally.
But trust me when I say this: it is not easy for the majority of people out
there.