Re: Session IP address matching

From:	Ralf Lang	Date:	Sat, 25 Jan 2014 14:35:39 +0000
Subject:	Re: Session IP address matching
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to internals+get-71559@lists.php.net to get a copy of this message

On 25.01.2014 15:11, Andreas Heigl wrote:
> Am 25.01.14 04:15, schrieb Andrey Andreev:
>> On Sat, Jan 25, 2014 at 4:21 AM, Andrea Faulds <ajf@ajf.me> wrote:
>>>
>>>
>>> On 25/01/14 01:11, Andrey Andreev wrote:
>>>>
>>>> Yes, one can write a custom session handler, but there's a number of
>>>> problems with that:
>>>
>>>
>>> Correct me if I'm wrong, but why would you need to do that? Surely, this
>>> would suffice:
>>>
>>>     if (!isset($_SESSION['ip'])) {
>>>         $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
>>>     } else if ($_SERVER['REMOTE_ADDR'] !== $_SESSION['ip']) {
>>>         session_destroy();
>>>     }
>>>
>>
>>  - I don't want the IP stored in session data, I already know it.
>>  - filemtime() result of the potentially targeted session id is
>> changed, extending its expiry time
>>  - multiple set-cookie headers
>>
>> Basically, I want it to be perfect. :)
>>
> Hi all.
> 
> Don't bash me when I'm wrong, but why would you want the IP check for
> the session in the first place? Don't get me wrong, I'm definitely in
> favour of more security, but the issue I see, is the following:
> When a user has an ISP that regularrily changes the IP-address assigned
> to the user via DHCP the session then is lost, isn't it? So suddenly the
> user is logged of without any apparent reason whatsoever.
> 
> And if that's not a problem, please take into account the users real
> address and not the address of any proxy that is in between (at least
> when it's possible to determin it). And that involves a lot of header
> checks, whether one or the other is set. And as soon as the appropriate
> header is not set (which might be the case due to proxy misbehaviour or
> misconfiguration), you will "only" have the IP of the Proxy. So all
> users behind such a proxy will share the same IP-address. The same goes
> for users behind NAT in a private network.

We have this security feature in userspace code in Horde 3-5, but it's
of limited value because all installations with corporate network users
need to turn it off (because their IPs are constantly changing).


-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang@b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537



Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc

   

Thread (29 messages)

• Andrey AndreevSat, 25 Jan 2014 01:11:37 +0000
  • Stas MalyshevSat, 25 Jan 2014 01:20:27 +0000
  • Ferenc KovacsSat, 25 Jan 2014 01:40:28 +0000
    • Andrey AndreevSat, 25 Jan 2014 01:50:32 +0000
      • Stas MalyshevSat, 25 Jan 2014 01:57:06 +0000
        • Stas MalyshevSat, 25 Jan 2014 01:59:54 +0000
  • Andrea FauldsSat, 25 Jan 2014 02:21:42 +0000
    • Andrey AndreevSat, 25 Jan 2014 03:15:12 +0000
      • Lester CaineSat, 25 Jan 2014 09:54:01 +0000
      • Andreas HeiglSat, 25 Jan 2014 14:11:18 +0000
        • Ralf LangSat, 25 Jan 2014 14:35:39 +0000
          • Lester CaineSat, 25 Jan 2014 15:55:03 +0000
        • Andrey AndreevSat, 25 Jan 2014 16:30:17 +0000
          • Lester CaineSat, 25 Jan 2014 17:29:40 +0000
          • Patrick SchaafSat, 25 Jan 2014 20:21:09 +0000
            • Rick WidmerSat, 25 Jan 2014 20:35:34 +0000
              • Sanford WhitemanSat, 25 Jan 2014 21:07:39 +0000