You guys are probably good programmers, but my experience shows me that the "standard" PHP developper is not aware of security problems or he/she has not the time to finalize the scripts (time is money...).
The problem with your patch is twofold:
1) It breaks for some users under rare circumstances which leads to very hard to reproduce bug reports. Trust me. I tried to use IP tracking and similar stuff and had to remove it because of user complaints.
2) It gives a false sense of security which leads to people spending less thoughts on the security concept of application because they rely on the session mechanism. Take proxies as an example: You'd have to also check for X-Forwarded-For headers to get the address behind a large ISPs proxy which opens up a whole new can of worms: How do you know that it wasn't the hacker sending X-Forwarded-For with the user's IP?
I decided to say "If X knows the session ID of User A then he _is_ A". (Side note: I use my own random/MD5-based session IDs which should be hard to guess). If I think sniffing a session ID is a problem then my application probably needs a higher security level anyway and I switch to SSL.
So, I will enhance the "patch" to make it less restrictive when testing the IP addresses and think about a strategy to handle AOL-like ISP...
Speaking from my own experience I should warn you that it is quite hard to convince this list to accept such patches. Don't be too disappointed in that case ;-)
I agree with other posts that this belongs in either
a) the application
b) PEAR (I'm pretty sure PEAR already offers something like this, haven't checked though)
and not core PHP.
- Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
