|
|
Posted by David T. Ashley on 06/24/07 15:16
"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:tZmdnS4fuL2l8OPbnZ2dnUVZ_s-rnZ2d@comcast.com...
> David T. Ashley wrote:
>> I've never used the PHP sessions (my code assigns its own session IDs).
>>
>> The particular approach I use to ensure uniqueness is to concatenate
>> time, microtime, and PID, and then to spinlock until the microtime
>> changes. This works because no two processes can have the same PID at
>> the same time.
>>
>> As Herr Moller pointed out, IP isn't directly involved in session ID.
>> However, when a session is opened on my systems, there is some
>> server-side state held to remember the session and related data,
>> including the IP. If there is another connection made using the same
>> session ID from a different IP, the software assumes that it is a
>> forgery, kills the session(s) involved, and writes alarming things in the
>> logfiles.
>>
>> I don't know what security best practices are for sessions, but I think
>> if the IP changes during a session it would be unusual.
>>
>> Dave.
>>
>
> It is actually quite common for an IP to change during a session - for
> instance, AOL users have a "round robin" proxy system which picks the
> least busy proxy at the time the request is being made. Many large
> corporations have similar.
>
> And, of course, dynamic addresses can change at any time; some ISP's run
> leases as short as 1 hour.
Thanks for the heads up. It would have EVENTUALLY come out in testing with
users getting tossed, but better to know this in advance.
Makes sense.
I will change my code accordingly.
--
David T. Ashley (dta@e3ft.com)
http://www.e3ft.com (Consulting Home Page)
http://www.dtashley.com (Personal Home Page)
http://gpl.e3ft.com (GPL Publications and Projects)
Navigation:
[Reply to this message]
|