|
Posted by Jerry Stuckle on 02/06/07 12:13
J.O. Aho wrote:
> Markus wrote:
>> Jerry Stuckle schrieb:
>>>> - Is a PHP session id always 32 characters long (if it is generated
>>>> normally with session_start() of course), or can it's format vary
>>>> due to PHP versions or configurations (I work in shared hosting
>>>> envirnoments)?
>>>
>>> Currently it's 32 characters long. That's not to say it can't change
>>> in future releases.
>> So as I use it only for temporary data, such as shopping cart orders
>> or administrator activities, I assume it is a good idea to work with
>> substr(session_id(), 0, 32);
>
> If you try to insert a longer string into the database than the column
> allows, it will automatically be turnicated to the max length for the
> column, so you don't have to use substr more when you compare the two
> values. Of you just assume it's 32 characters long until the day you
> notice it don't anymore work, when you ALTER the table to give more
> space for session id's.
>
>
>>>> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
>>>> address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
>>>> address or other?
>>
>> To be honest, I never understood what is the point in collecting this
>> value at all, it just had been there in the first sample script I got
>> from my first PHP teacher years ago...
>
> The vast majority of users will have one and the same IP-number each
> time they request a page during the same session, so you can use that
> ip-number to check if the request comes from the same machine or not, it
> you get another ip, you can assume that someone has managed to sniff the
> session id and trying to take over that session, then you could
> terminate the session and request for the user to login once more.
>
Mostly true. But man users can change IP addresses each time because
they are using a pool of proxy servers. AOL is a great example of this,
but there are others.
And most corporations have a firewall and everyone behind the firewall
uses the same IP address. So you could have hundreds or even thousands
of people using the same IP address.
> If you feel it's overkill, then remove the whole thing, no point in
> keeping a IP-number in a database if you not gona use it.
>
Sessions are not security. If you need security, use a secure protocol.
Then you won't have a problem with sniffing session id's.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|