Re: Session IP address matching

From: Date: Sat, 25 Jan 2014 09:54:01 +0000
Subject: Re: Session IP address matching
References: 1 2 3  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Andrey Andreev wrote:

Yes, one can write a custom session handler, but there's a number of

problems with that:


Correct me if I'm wrong, but why would you need to do that? Surely, this
would suffice:


    if (!isset($_SESSION['ip'])) {
        $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
    } else if ($_SERVER['REMOTE_ADDR'] !== $_SESSION['ip']) {
        session_destroy();
    }


  - I don't want the IP stored in session data, I already know it.
  - filemtime() result of the potentially targeted session id is
changed, extending its expiry time
  - multiple set-cookie headers

Basically, I want it to be perfect.:)


Since nowadays the vast majority of 'users' do not have fixed IP addresses, and the methods used to share IP's on mobile phones is making that even more of a problem. It has already been pointed out that this can't be a default. Personally I keep track of the visitor IP's in a database and so have my own handling and I'm fairly sure most frameworks also do that. So I do not believe it leaves many options that could be considered safe to use as an alternative?

So to

So much needed in fact, that I'm surprised PHP made it to 2014 without that
option, especially since there already is 'session.referer_check'.
the answer is - because no one can come up with something that is safe to use?


-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

Thread (29 messages)

« previous php.internals (#71553) next »