Re: Session IP address matching

From: Date: Sun, 26 Jan 2014 01:00:34 +0000
Subject: Re: Session IP address matching
References: 1 2 3 4 5 6 7 8  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi Stas,

On Sun, Jan 26, 2014 at 9:44 AM, Stas Malyshev <[email protected]>wrote:

> > which is really bad thing to do. session_create_id() generate ID using
> > the same code PHP generates ID which is much secure than above and
> > supposed to be faster than user land script.
>
> I agree that exposing the ID creation function is a good addition
> (actually if it was available I'd probably use it in other contexts
> where I need a random token, not necessarily a session ID as such).
> Maybe we need even more generic function and have session reuse that
> code, too.


Although I've written it already, I appreciate any comments for
improvement. Do you have idea for session_create_id()?
Perhaps, more generic function name and/or move to ext/standard?

For more generic ID or token, I think we need UUID module. If there
is a module available, we are better to include it. I think someone
is working on it.

Regards,

--
Yasuo Ohgaki
[email protected]

Thread (29 messages)

« previous php.internals (#71576) next »