Re: Session IP address matching

From: Date: Sat, 25 Jan 2014 14:11:18 +0000
Subject: Re: Session IP address matching
References: 1 2 3  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Am 25.01.14 04:15, schrieb Andrey Andreev:
> On Sat, Jan 25, 2014 at 4:21 AM, Andrea Faulds <[email protected]> wrote:
>>
>>
>> On 25/01/14 01:11, Andrey Andreev wrote:
>>>
>>> Yes, one can write a custom session handler, but there's a number of
>>> problems with that:
>>
>>
>> Correct me if I'm wrong, but why would you need to do that? Surely, this
>> would suffice:
>>
>>     if (!isset($_SESSION['ip'])) {
>>         $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
>>     } else if ($_SERVER['REMOTE_ADDR'] !== $_SESSION['ip']) {
>>         session_destroy();
>>     }
>>
> 
>  - I don't want the IP stored in session data, I already know it.
>  - filemtime() result of the potentially targeted session id is
> changed, extending its expiry time
>  - multiple set-cookie headers
> 
> Basically, I want it to be perfect. :)
> 
Hi all.

Don't bash me when I'm wrong, but why would you want the IP check for
the session in the first place? Don't get me wrong, I'm definitely in
favour of more security, but the issue I see, is the following:
When a user has an ISP that regularrily changes the IP-address assigned
to the user via DHCP the session then is lost, isn't it? So suddenly the
user is logged of without any apparent reason whatsoever.

And if that's not a problem, please take into account the users real
address and not the address of any proxy that is in between (at least
when it's possible to determin it). And that involves a lot of header
checks, whether one or the other is set. And as soon as the appropriate
header is not set (which might be the case due to proxy misbehaviour or
misconfiguration), you will "only" have the IP of the Proxy. So all
users behind such a proxy will share the same IP-address. The same goes
for users behind NAT in a private network.

So there might be so many exceptions that I wouldn't know whether it'a
security benefit or not.

Or am I completely wrong and didn't get the point? Then feel free to
simply ignore this mail.

Andreas

-- 
                                                              ,,,
                                                             (o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl                                                       |
| mailto:[email protected]                  N
50°22'59.5" E 08°23'58" |
| http://andreas.heigl.org                       http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca                                         
     |
+---------------------------------------------------------------------+



Attachment: [application/pkcs7-signature] S/MIME Cryptographic Signature smime.p7s

Thread (29 messages)

« previous php.internals (#71558) next »