|
Posted by Jerry Stuckle on 02/06/07 12:10
Markus wrote:
> Jerry Stuckle schrieb:
>>> - Is a PHP session id always 32 characters long (if it is generated
>>> normally with session_start() of course), or can it's format vary due
>>> to PHP versions or configurations (I work in shared hosting
>>> envirnoments)?
>>
>> Currently it's 32 characters long. That's not to say it can't change
>> in future releases.
> So as I use it only for temporary data, such as shopping cart orders or
> administrator activities, I assume it is a good idea to work with
> substr(session_id(), 0, 32);
>
Why even worry about the session id? Just let PHP handle it. You don't
want to store the session id in a database - the data will be gone soon,
anyway. Then you're left with a session id in the database but no
session to go with it.
>>> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
>>> address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
>>> address or other?
>>
>> Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
>> useful manner. It comes directly from the ip header. It is also the
>> ip address where the response would be sent. And while theoretically
>> it could be forged, this requires hacking into the ip stack itself,
>> not just a simple script or browser change - much more complicated
>> than forging some of the other header values (like HTTP_REFERER). And
>> it's really only useful for a DOS attack.
>>
>> But this can can be an IPV6 address if/when your hosting company goes
>> that way.
> To be honest, I never understood what is the point in collecting this
> value at all, it just had been there in the first sample script I got
> from my first PHP teacher years ago...
>
> Thanks a lot for your helpful info!
> Markus
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|