Posted by Jerry Stuckle on 02/03/07 05:16

Markus wrote:
> Hi
>
> In cases where I need to store the session id and/or the remote host in
> a database I used to choose tinytext fields so far. Anyway the usual
> values for session ids are of 32 characters length, and IP addresses not
> longer than 15 characters - so using char(32) resp. char(15) would
> actually improve the database performance. But I did not find
> informations whether this is safe or not.
>
> So my questions are:
> - Is a PHP session id always 32 characters long (if it is generated
> normally with session_start() of course), or can it's format vary due to
> PHP versions or configurations (I work in shared hosting envirnoments)?

Currently it's 32 characters long. That's not to say it can't change in
future releases.

> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
> of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or
> other?
>

Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
useful manner. It comes directly from the ip header. It is also the ip
address where the response would be sent. And while theoretically it
could be forged, this requires hacking into the ip stack itself, not
just a simple script or browser change - much more complicated than
forging some of the other header values (like HTTP_REFERER). And it's
really only useful for a DOS attack.

But this can can be an IPV6 address if/when your hosting company goes
that way.

> Thanks for a clarification!
> Markus


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]