Reply to Re: Format of session id and $_SERVER['REMOTE_ADDR']

Your name:

Reply:


Posted by Jerry Stuckle on 02/06/07 12:13

J.O. Aho wrote:
> Markus wrote:
>> Jerry Stuckle schrieb:
>>>> - Is a PHP session id always 32 characters long (if it is generated
>>>> normally with session_start() of course), or can it's format vary
>>>> due to PHP versions or configurations (I work in shared hosting
>>>> envirnoments)?
>>>
>>> Currently it's 32 characters long. That's not to say it can't change
>>> in future releases.
>> So as I use it only for temporary data, such as shopping cart orders
>> or administrator activities, I assume it is a good idea to work with
>> substr(session_id(), 0, 32);
>
> If you try to insert a longer string into the database than the column
> allows, it will automatically be turnicated to the max length for the
> column, so you don't have to use substr more when you compare the two
> values. Of you just assume it's 32 characters long until the day you
> notice it don't anymore work, when you ALTER the table to give more
> space for session id's.
>
>
>>>> - Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
>>>> address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
>>>> address or other?
>>
>> To be honest, I never understood what is the point in collecting this
>> value at all, it just had been there in the first sample script I got
>> from my first PHP teacher years ago...
>
> The vast majority of users will have one and the same IP-number each
> time they request a page during the same session, so you can use that
> ip-number to check if the request comes from the same machine or not, it
> you get another ip, you can assume that someone has managed to sniff the
> session id and trying to take over that session, then you could
> terminate the session and request for the user to login once more.
>

Mostly true. But man users can change IP addresses each time because
they are using a pool of proxy servers. AOL is a great example of this,
but there are others.

And most corporations have a firewall and everyone behind the firewall
uses the same IP address. So you could have hundreds or even thousands
of people using the same IP address.

> If you feel it's overkill, then remove the whole thing, no point in
> keeping a IP-number in a database if you not gona use it.
>

Sessions are not security. If you need security, use a secure protocol.
Then you won't have a problem with sniffing session id's.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация