Re[2]: [Phplib-users] new Session4 changes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

G>   >> The old PHPLib's Session class is damn slow compared to the native PHP4
G>   >> sessions.
G> I think that comes from the save_handler most of all

I guess the old serialize/unserialize most of all. When I first tested
Session4(_custom) with the same savehandler (CT_SQL) as the old Session,
the Session4 performed at least 2 times faster.

G>   >> 1. The check for session existence is trivial. In my addition to the
G>   >> Session4 the session exists if the originator's IP is registered with

G> Why not 'preissue' a fair enough number of 'second_half of session
G> info', and save them in the session, so  that only one among those can
G> be appended or cookie_appended? Use once
G> random md5 digests. Would that  be really bullet_proof..

It does not resolve the problem, because that "second part" is saved
with the session, and we have access to this part since we know the
SID. And this second part can leak with the next request - we should
append it to the URL for the cookie-disabled. This is also a
non-standard behavior, so we can not use the standard trans_sid url
rewriting here.

G>   >> 2. We should always try to avoid extra redirects - the main reason is
G>   >> that those redirects can be misunderstood by the search robots,

G> This problematic is really at the opposite of the one regarding privacy
G> and hijacking. That's why you may want more mutations, and more fallback
G> paths, depending on the situation. Afterall if you have private areas
G> accessible from anything between cookieless_always_authenticated and
G> cookie_only_always_reauth (or any mix), and also want robots to sneak
G> around safe, you need possibility to mutate the policy in different ways 
G> for the cases, no one can fit all.

Yes, but sometimes the personal info should present on [almost] every
page, if the user is authenticated. And the search bot travels the
same pages as other users, they may have auth info while the bot
may not (and they will see slightly different pages). It's a common
case.

-- 
Best regards,
Maxim Derkachev mailto:max...@bo...
IT manager,
Symbol-Plus Publishing Ltd.
phone: +7 (812) 324-53-53
www.books.ru, www.symbol.ru 