Re: Session IP address matching

From:	Andrey Andreev	Date:	Sat, 25 Jan 2014 03:15:12 +0000
Subject:	Re: Session IP address matching
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Sat, Jan 25, 2014 at 4:21 AM, Andrea Faulds <[email protected]> wrote:
>
>
> On 25/01/14 01:11, Andrey Andreev wrote:
>>
>> Yes, one can write a custom session handler, but there's a number of
>> problems with that:
>
>
> Correct me if I'm wrong, but why would you need to do that? Surely, this
> would suffice:
>
>     if (!isset($_SESSION['ip'])) {
>         $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
>     } else if ($_SERVER['REMOTE_ADDR'] !== $_SESSION['ip']) {
>         session_destroy();
>     }
>

 - I don't want the IP stored in session data, I already know it.
 - filemtime() result of the potentially targeted session id is
changed, extending its expiry time
 - multiple set-cookie headers

Basically, I want it to be perfect. :)


   

Thread (29 messages)

• Andrey AndreevSat, 25 Jan 2014 01:11:37 +0000
  • Stas MalyshevSat, 25 Jan 2014 01:20:27 +0000
  • Ferenc KovacsSat, 25 Jan 2014 01:40:28 +0000
    • Andrey AndreevSat, 25 Jan 2014 01:50:32 +0000
      • Stas MalyshevSat, 25 Jan 2014 01:57:06 +0000
        • Stas MalyshevSat, 25 Jan 2014 01:59:54 +0000
  • Andrea FauldsSat, 25 Jan 2014 02:21:42 +0000
    • Andrey AndreevSat, 25 Jan 2014 03:15:12 +0000
      • Lester CaineSat, 25 Jan 2014 09:54:01 +0000
      • Andreas HeiglSat, 25 Jan 2014 14:11:18 +0000
        • Ralf LangSat, 25 Jan 2014 14:35:39 +0000
          • Lester CaineSat, 25 Jan 2014 15:55:03 +0000
        • Andrey AndreevSat, 25 Jan 2014 16:30:17 +0000
          • Lester CaineSat, 25 Jan 2014 17:29:40 +0000
          • Patrick SchaafSat, 25 Jan 2014 20:21:09 +0000
            • Rick WidmerSat, 25 Jan 2014 20:35:34 +0000
              • Sanford WhitemanSat, 25 Jan 2014 21:07:39 +0000