Hi All,
There's always been a lot of discussion about how safe sessions are. I'd
like to store a complete user object (instance of a class) in a session with
the best security measures possible. Who doesn't.
Now, to prevent that the session file from the server gets stolen by some
other user of the virtual host I did this to my object:
87 # Called upon serialization of the object. It stored the IP
address and serialization time.
88 function __sleep() {
89 $this->Night = Array('Time' => time(), 'IP' =>
$_SERVER['REMOTE_ADDR']);
90 return Array('Data', 'Night');
91 }
92
93 # When deserialized we are called and need to check if the
stored IP address equals the client's
94 function __wakeup() {
95 global $Log;
96 if ($_SERVER['REMOTE_ADDR'] != $this->Night['IP']) {
97 $Log->Warning('IP Address changed during
sleep and wakeup, will clear userdata');
98 $this->Data = Array();
99 };
100 }
Upon sleep it stores the IP and time in the session data, and when it smells
coffee my object wakes up, checks if he's still being used on the same host
and if not the userdata is plainly cleared.
This all probably takes care about the problem with session id's in the
query string, which is known as referrer to the next website our visitor
visits. What I'm worrying and wondering about now are other users of the
server my site's at. They can most likely go into the /tmp folder and just
read my session files. Not Nice. I know it has been discussed for quite some
times now .. but never really found anything else than warnings for stuff,
no real solutions.
So, get your idea's rolling and let the good things flow...
Wouter
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
