Hi Andrey,
On Sun, Jan 25, 2015 at 11:54 AM, Andrey Andreev <n...@devilix.net> wrote:
> To prevent session fixation?
>
> Doesn't matter, I was just giving you an example.
>
If app may assume that clients have constant IP, then IP may be used to
prevent
stolen sessions. Unfortunately, we live in mobile world, so this solution
may be
used under very limited environments. Using save handler for this purpose
may
trigger error from unknow file/line.
I would advise to write following code somewhere in usual locations.
if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']) {
log_security_breach();
session_regenerate_id();
session_unset();
die_or_trigger_error_if_it_is_needed();
}
Anyway, if anyone would like to implement something fancy in save handlers,
beware that it may result in consequences that you may not be willing to
have.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
