> > The real IP address can be tracked in most cases (say, using the > > HTTP_X_FORWARDED header an others) but I am not really sure that we > > should put the logic for that in the PHP engine itself. Users can > > add the additional PHP code to their libraries. Anyway, you can > > change the session id from the PHP code itself. > > Still the IP of the client can change every once in a while > when his DHCP lease expires ... or when they use dial-on-demand > and automatic hangup as eg. provided by the linux ISDN subsystem? > Do you really want client sessions to become invalid every time > their ISP decides to assign them a new IP? For my system at home > this could make a service unusable as it automaticly hangs up > the ISDN line after 60sec without IP traffic and redials on demand > (with ISDN you have connect times of <1sec, so you don't even > notice you've been disconnected, but you'll notice the effect on > the bill if you are charged by connection time). > So my Client IP might even be different for every single request > if it takes me more than a minute to read a page or fill out a > form ...
You got a point there. I am not arguing that this needs to be added to the engine code itself. But I do argue that site owners should at least have such a code to warn them about possible hijack attempts. It all comes to how paranoid you are. For example, a changed IP address of the client (not the proxy) can be accepted as normal, but if the USER_AGENT changes as well - now that is suspicious. Ivan -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
