Re: Session IP address matching
Ok, so there is a way to override a single method. Sorry about that ... I
have my own reasons to still think about PHP 5.3 compatibility (which,
granted - this feature couldn't solve).
Still, that is not optimal. The desired effect is to call the session file
something like:
<session.name>_<REMOTE_ADDR(hash)>_<session_id>
I can't think of a way of making that happen, so I guess a work-around
would be to do:
public function open($save_path, $session_id)
{
$save_path .= DIRECTORY_SEPARATOR.md5($_SERVER['REMOTE_ADDR']);
if ( ! is_dir($save_path) && ! mkdir($save_path, 0600))
{
return FALSE;
}
return parent::open($save_path, $session_id);
}
(because the manual says that directories must already be created)
But it is not clear what happens with session.save_path afterwards ... is
this the only place where it matters?
Plus, I don't think this would be ideal for something like sessions in
terms of performance (that's why I listed the directory-based approach
last, in my first mail).
What if I want to use session.auto_start?
And really, do you consider this to be convenient compared to a single ini
setting?
On Sat, Jan 25, 2014 at 3:57 AM, Stas Malyshev <[email protected]>wrote:
> Hi!
>
> > I'm not aware of a way to override just read().
>
> What would be the problem with it? You can override each method
> independently.
>
> > But even even if I could, how would I avoid breaking the rest of the
> > SessionHandler? The manual implies that read() is where (in userland PHP
> > terms) fopen() + assign file handle + flock() would happen.
>
> Why would you break it? Just do something like:
>
> class SessionHandlerWithIPChecks extends SessionHandler {
>
> public function SessionHandler::read($session_id)
> {
> $data = parent::read($session_id);
> if(!$this->doChecks($data)) {
> return "";
> }
> return $data;
> }
> }
>
> Then do:
>
> session_set_save_handler(new SessionHandlerWithIPChecks());
Thread (29 messages)