Posted by Gordon Burditt on 02/08/07 03:19

>Why even worry about the session id? Just let PHP handle it. You don't
>want to store the session id in a database - the data will be gone soon,
>anyway. Then you're left with a session id in the database but no
>session to go with it.

I'd prefer to use a session save handler and store all the session
data in a database rather than in a bunch of little files in a
directory. (Although, generally, letting PHP handle most details
of sessions works well.) For one thing, if I want my sessions to
expire *RELIABLY* on time, something like:

delete from sessiontable where lasthittime < subdate(now(), interval 4 hour);
run every 10 minutes (Or better, the session restore handler can simply
not find the existing session record if it's even one second over expired.)

seems to operate much quicker than looking at file stamps on a lot
of session files every 10 minutes. Clearing all the sessions on
reboot is also much faster. And sometimes the database entries are
more convenient to deal with than little files if you're trying to
debug something.

Should you have a reason for an admin page that lists currently
logged-in users, fetching that info out of a database may be much
easier than looking at lots of little files.

>>>> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
>>>> address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
>>>> address or other?

If your server is on an IPv6 network, there may well not be any
IPv4 address that corresponds, so it would have to give you an IPv6
address or something useless.

>>> Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
>>> useful manner. It comes directly from the ip header. It is also the
>>> ip address where the response would be sent. And while theoretically
>>> it could be forged, this requires hacking into the ip stack itself,
>>> not just a simple script or browser change - much more complicated
>>> than forging some of the other header values (like HTTP_REFERER). And
>>> it's really only useful for a DOS attack.
>>>
>>> But this can can be an IPV6 address if/when your hosting company goes
>>> that way.
>> To be honest, I never understood what is the point in collecting this
>> value at all, it just had been there in the first sample script I got
>> from my first PHP teacher years ago...

The IP address and timestamp are useful in making complaints to
ISPs about their malicious users, especially when they DOS attack
you, and in making complaints to police when they use stolen credit
card numbers at your site.

• Next in forum: Re: $_POST array clears out
• Prev in forum: Re: PHP Encryption Question
• Thread view: Re: Format of session id and $_SERVER['REMOTE_ADDR']

[Reply to this message]