Hi Madara,
On Thu, Sep 26, 2013 at 7:49 AM, Madara Uchiha <mad...@tchizik.com> wrote:
> Why couldn't this be implemented on userland again? I don't feel this
> is a language level issue.
>
PHP is not only language, but also meta framework.
It is better to think as how framework support session. IMHO.
I suppose there aren't many PHP frameworks that implement
session manager by itself.
Any users may implement this by themselves. It's not difficult.
session_start()
if ($_SESSION['IP'] !== $CLIENT_IP) {
// $CLIENT_IP depends on configuration
$_SESSION['IP'] = $CLIENT_IP;
session_regenerate_id(true);
}
The motivation is not make things easier, but to encourage users
use more secure session management. Session ID must be regenerated
when event happens, e.g. login. Session ID should be regenerated
periodically to reduce hijack risk, too. Users should regenerate session
ID anyway. Why not support "should/must be done" operations?
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
