Re: Session IP address matching
Hi Stas,
On Sat, Jan 25, 2014 at 7:44 PM, Stas Malyshev <[email protected]>wrote:
> > Still, that is not optimal. The desired effect is to call the session
> > file something like:
> >
> > <session.name>_<REMOTE_ADDR(hash)>_<session_id>
>
> I'm sure there's a reason why you want that, but I'm not sure I'm seeing
> a generic use case for this for core. Why would most of the core users
> care how the session files are named and require them named in a
> specific way?
>
I have client who want to distinguish session by session ID.
They don't want to store IP in session name.
They would like to know creation and modification time w/o
actually reading session data for performance reasons.
> If you want to limit access to sessions to specific IPs only, there
> already is an easy way to do it, by overriding SessionHandler. If you
> want to make sessions stick to IP, there's also pretty easy way to do it
> too. So I wonder - why change the core if it can already easily be done
> with what we have?
The reason why I made session_create_id() is mainly for security
reason. Without it user would something like
$new_session_id = sha1(uniqid());
which is really bad thing to do. session_create_id() generate ID using
the same code PHP generates ID which is much secure than above and
supposed to be faster than user land script.
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (29 messages)