Using the built in PHP 4 session support you can do IP checking on the
sessions, in fact you should be able to do IP checking with any session
library as long as you do it in your application.
Checking the IP when using sessions might give you some additional
security but many ISPS use web proxies and caches, while some of these
proxies allow you to see the original IP many do not. Additionally the
user may be routed through a different proxy depending on the ISP setup
which would result in their session being dropped.
You might consider using your existing session system over an SSL
connection, it would provided increased security without changing your
code.
The only time I have needed to use anything other than the standard PHP
session support was when I needed my sessions to be encrypted on the
server, even in this case I just wrote my own session handler and used
the PHP 4 functions.
If your code is working well there may be little reason to change it, it
may be a more responsible decision to wait until your application is
undergoing a re-design to change your session handling or it may not be,
it all depends on how much time you have, and features you need and are
not getting now.
If you do decide to go ahead with the IP checking one way to do it is to
store the session id and IP address in a database, then add logic to
your application that checks the session id against the IP address in
the database before the session is started, if they don't match it
clears the session variables and starts a blank session. I've done this
in the past but found it provided only limited security advantages
compared to other things like SSL.
Jason
On Mon, 2003-02-17 at 21:21, Vincent M. wrote:
> Hello,
>
> I am using the phplib just for the sessions management and unfortunately
> this projects seems dead (no?), no official realise using the php4
> session support.
> What's more, i am looking for a sessions library which could check the
> IP adress of users not only the cookie. In case of bad hats steal cookies...
> What I use in my current code is:
> page_open(array("sess" => "SIOVA_Session", "auth" =>
> "SIOVA_Challenge_Auth", "perm" => "SIOVA_Perm"));
> $perm->check("user");
> page_close() ;
> $auth->auth["perm"] == "admin" ;// and others privilege checks...
> $sess->delete() ;
> $auth->unauth();
> $auth->logout();
> etc...
>
> What do you think I should use instead of the phplib, do you think I
> should change what I use at this time which works full well :-/
> I do want to use a library checking the cookies AND the IP adresses...to
> do something more secure.
>
>
> Thanks for you advises,
> Vincent.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
