|
|
Posted by Jerry Stuckle on 06/24/07 13:10
David T. Ashley wrote:
> I've never used the PHP sessions (my code assigns its own session IDs).
>
> The particular approach I use to ensure uniqueness is to concatenate time,
> microtime, and PID, and then to spinlock until the microtime changes. This
> works because no two processes can have the same PID at the same time.
>
> As Herr Moller pointed out, IP isn't directly involved in session ID.
> However, when a session is opened on my systems, there is some server-side
> state held to remember the session and related data, including the IP. If
> there is another connection made using the same session ID from a different
> IP, the software assumes that it is a forgery, kills the session(s)
> involved, and writes alarming things in the logfiles.
>
> I don't know what security best practices are for sessions, but I think if
> the IP changes during a session it would be unusual.
>
> Dave.
>
It is actually quite common for an IP to change during a session - for
instance, AOL users have a "round robin" proxy system which picks the
least busy proxy at the time the request is being made. Many large
corporations have similar.
And, of course, dynamic addresses can change at any time; some ISP's run
leases as short as 1 hour.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|