Afaik that's the usual technique against session theft in php. Lot of php apps look the same.
Stephane Le 11 sept. 2013 23:13, "Rodrigo Castillo" <[email protected]> a écrit : > I'm exploring the rcmail_session class to hunt down some intermittent > issues with untimely session expiration, and to develop a better > remember_me extension (or attempt to get it into core...). > > I came across the following code > > ... > /** > * Setter for session lifetime > */ > public function set_lifetime($lifetime) > { > $this->lifetime = max(120, $lifetime); > > // valid time range is now - 1/2 lifetime to now + 1/2 lifetime > $now = time(); > $this->now = $now - ($now % ($this->lifetime / 2)); > } > ... > /** > > * Create session cookie from session data > * > * @param int Time slot to use > */ > function _mkcookie($timeslot) > { > $auth_string = "$this->key,$this->secret,$**timeslot"; > return "S" . (function_exists('sha1') ? sha1($auth_string) : > md5($auth_string)); > } > ... > /** > * Check session authentication cookie > * > * @return boolean True if valid, False if not > */ > function check_auth() > { > ... > if ($result && $this->_mkcookie($this->now) != $this->cookie) { > ... > } > > It's quite deliberate, and it made me curious as to the reasoning behind > the decision not to simply include a 'created_at' and 'expires_at' within > the cookie, which would simplify the validation of the timespan. Is the > reason for security, or perhaps a load-balancing? > ______________________________**_________________ > Roundcube Development discussion mailing list > [email protected] > http://lists.roundcube.net/**mailman/listinfo/dev<http://lists.roundcube.net/mailman/listinfo/dev> >
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
