Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-09 00:58:51
|
>>>$fallback_mode) because this would allow new modes to be added and a
>>>preference list built ($mode = array("cert", "cookie")) where cert is
>>Ok, then in that case you'd certainly want to be able to apply 'cert'
>>only froim a certain moment on, so be able to migrate your session and
>>user data from the previous type of session into this new one. And not
>>impose one choise at the start.
>>And you'd never let a 'cert' session to downgrade to 'cookie' while
>>maintaining the same privileges. OTH.
It's somehow also the programmer responsib to see that mode is not
downgraded. You know, the annoying messages when entering/leaving secure
mode.
> Correct, with a major exception. There is no reason why a session could not
> be transformed from one mode to another. The mode would just have to be
> stored in auth. Then a page_open would know how to restore the session
> and a function such as auth->change_mode would make the change.
This the change_mode has to be done while restoring the session, which
happens before any auth exists. So auth has to be able to call a
function that saves the session data, create a new one of the type
wanted, restore the data. There's a patch from me that already does this
for session3, while I committed the $block_alien_sids check to
session.inc in the php-lib-stable cvs. With php4 I couldn't find a way
to do this using php4 session functions. Nor it seems Maxim did, as he
reinserted the known 'Header: 302 Moved there' or similar.
Better if the session has a new sid here, as it acquires a higer grade.
Going back to lower-level cookie/get, things are not much different.
I see in Maxim's that session_start can be executed twice. I wonder what
happens if session.use_only_cookies is set between the two.
The list simply
> specifies the ones you want to allow, and auth would pick the most secure
> that works. If you want to force a mode change, then no problem as long as
> it is one of the ones that you support.
|
