473,320 Members | 1,879 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Format of session id and $_SERVER['REMOTE_ADDR']

Hi

In cases where I need to store the session id and/or the remote host in
a database I used to choose tinytext fields so far. Anyway the usual
values for session ids are of 32 characters length, and IP addresses not
longer than 15 characters - so using char(32) resp. char(15) would
actually improve the database performance. But I did not find
informations whether this is safe or not.

So my questions are:
- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary due to
PHP versions or configurations (I work in shared hosting envirnoments)?
- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or other?

Thanks for a clarification!
Markus
Feb 2 '07 #1
9 9660
Markus wrote:
- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or
other?
Yeah - you can expect it.
But that doesn't mean the IP address is correct.
That's the easiest thing of all for malicious users to spoof.
Feb 2 '07 #2
Markus wrote:
Hi

In cases where I need to store the session id and/or the remote host in
a database I used to choose tinytext fields so far. Anyway the usual
values for session ids are of 32 characters length, and IP addresses not
longer than 15 characters - so using char(32) resp. char(15) would
actually improve the database performance. But I did not find
informations whether this is safe or not.

So my questions are:
- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary due to
PHP versions or configurations (I work in shared hosting envirnoments)?
Currently it's 32 characters long. That's not to say it can't change in
future releases.
- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or
other?
Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
useful manner. It comes directly from the ip header. It is also the ip
address where the response would be sent. And while theoretically it
could be forged, this requires hacking into the ip stack itself, not
just a simple script or browser change - much more complicated than
forging some of the other header values (like HTTP_REFERER). And it's
really only useful for a DOS attack.

But this can can be an IPV6 address if/when your hosting company goes
that way.
Thanks for a clarification!
Markus

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 3 '07 #3
Jerry Stuckle schrieb:
>- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary due
to PHP versions or configurations (I work in shared hosting
envirnoments)?

Currently it's 32 characters long. That's not to say it can't change in
future releases.
So as I use it only for temporary data, such as shopping cart orders or
administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);
>- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP address
of the format xxx.xxx.xxx.xxx, or can this also be an IPV6 address or
other?

Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
useful manner. It comes directly from the ip header. It is also the ip
address where the response would be sent. And while theoretically it
could be forged, this requires hacking into the ip stack itself, not
just a simple script or browser change - much more complicated than
forging some of the other header values (like HTTP_REFERER). And it's
really only useful for a DOS attack.

But this can can be an IPV6 address if/when your hosting company goes
that way.
To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...

Thanks a lot for your helpful info!
Markus
Feb 6 '07 #4
Markus wrote:
Jerry Stuckle schrieb:
>>- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary due
to PHP versions or configurations (I work in shared hosting
envirnoments)?

Currently it's 32 characters long. That's not to say it can't change
in future releases.
So as I use it only for temporary data, such as shopping cart orders or
administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);
If you try to insert a longer string into the database than the column allows,
it will automatically be turnicated to the max length for the column, so you
don't have to use substr more when you compare the two values. Of you just
assume it's 32 characters long until the day you notice it don't anymore work,
when you ALTER the table to give more space for session id's.

>>- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
address or other?

To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...
The vast majority of users will have one and the same IP-number each time they
request a page during the same session, so you can use that ip-number to check
if the request comes from the same machine or not, it you get another ip, you
can assume that someone has managed to sniff the session id and trying to take
over that session, then you could terminate the session and request for the
user to login once more.

If you feel it's overkill, then remove the whole thing, no point in keeping a
IP-number in a database if you not gona use it.

--

//Aho
Feb 6 '07 #5
Markus wrote:
Jerry Stuckle schrieb:
>>- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary due
to PHP versions or configurations (I work in shared hosting
envirnoments)?

Currently it's 32 characters long. That's not to say it can't change
in future releases.
So as I use it only for temporary data, such as shopping cart orders or
administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);
Why even worry about the session id? Just let PHP handle it. You don't
want to store the session id in a database - the data will be gone soon,
anyway. Then you're left with a session id in the database but no
session to go with it.
>>- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
address or other?

Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
useful manner. It comes directly from the ip header. It is also the
ip address where the response would be sent. And while theoretically
it could be forged, this requires hacking into the ip stack itself,
not just a simple script or browser change - much more complicated
than forging some of the other header values (like HTTP_REFERER). And
it's really only useful for a DOS attack.

But this can can be an IPV6 address if/when your hosting company goes
that way.
To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...

Thanks a lot for your helpful info!
Markus

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 6 '07 #6
J.O. Aho wrote:
Markus wrote:
>Jerry Stuckle schrieb:
>>>- Is a PHP session id always 32 characters long (if it is generated
normally with session_start() of course), or can it's format vary
due to PHP versions or configurations (I work in shared hosting
envirnoments)?

Currently it's 32 characters long. That's not to say it can't change
in future releases.
So as I use it only for temporary data, such as shopping cart orders
or administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);

If you try to insert a longer string into the database than the column
allows, it will automatically be turnicated to the max length for the
column, so you don't have to use substr more when you compare the two
values. Of you just assume it's 32 characters long until the day you
notice it don't anymore work, when you ALTER the table to give more
space for session id's.

>>>- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
address or other?

To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...

The vast majority of users will have one and the same IP-number each
time they request a page during the same session, so you can use that
ip-number to check if the request comes from the same machine or not, it
you get another ip, you can assume that someone has managed to sniff the
session id and trying to take over that session, then you could
terminate the session and request for the user to login once more.
Mostly true. But man users can change IP addresses each time because
they are using a pool of proxy servers. AOL is a great example of this,
but there are others.

And most corporations have a firewall and everyone behind the firewall
uses the same IP address. So you could have hundreds or even thousands
of people using the same IP address.
If you feel it's overkill, then remove the whole thing, no point in
keeping a IP-number in a database if you not gona use it.
Sessions are not security. If you need security, use a secure protocol.
Then you won't have a problem with sniffing session id's.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 6 '07 #7
Jerry Stuckle schrieb:
>So as I use it only for temporary data, such as shopping cart orders
or administrator activities, I assume it is a good idea to work with
substr(session_id(), 0, 32);

Why even worry about the session id? Just let PHP handle it. You don't
want to store the session id in a database - the data will be gone soon,
anyway. Then you're left with a session id in the database but no
session to go with it.
Ooops... this is indeed a remainer from the times when I handled
sessions manually. Thanks for pointing this out!

Markus
Feb 7 '07 #8
Jerry Stuckle schrieb:
J.O. Aho wrote:
>>To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...

The vast majority of users will have one and the same IP-number each
time they request a page during the same session, so you can use that
ip-number to check if the request comes from the same machine or not,
it you get another ip, you can assume that someone has managed to
sniff the session id and trying to take over that session, then you
could terminate the session and request for the user to login once more.

Mostly true. But man users can change IP addresses each time because
they are using a pool of proxy servers. AOL is a great example of this,
but there are others.

And most corporations have a firewall and everyone behind the firewall
uses the same IP address. So you could have hundreds or even thousands
of people using the same IP address.
>If you feel it's overkill, then remove the whole thing, no point in
keeping a IP-number in a database if you not gona use it.

Sessions are not security. If you need security, use a secure protocol.
Then you won't have a problem with sniffing session id's.
These are interesting points. The application is intended to be used in
various shared-hosting based environments; the choice of the protocol is
not part of it. But I just thought about introducing some kind of
low-level security by adding an ip check as an option, which can be
turned off if the administators work in an environment where the ip is
likely to change during the session.
Feb 7 '07 #9
>Why even worry about the session id? Just let PHP handle it. You don't
>want to store the session id in a database - the data will be gone soon,
anyway. Then you're left with a session id in the database but no
session to go with it.
I'd prefer to use a session save handler and store all the session
data in a database rather than in a bunch of little files in a
directory. (Although, generally, letting PHP handle most details
of sessions works well.) For one thing, if I want my sessions to
expire *RELIABLY* on time, something like:

delete from sessiontable where lasthittime < subdate(now(), interval 4 hour);
run every 10 minutes (Or better, the session restore handler can simply
not find the existing session record if it's even one second over expired.)

seems to operate much quicker than looking at file stamps on a lot
of session files every 10 minutes. Clearing all the sessions on
reboot is also much faster. And sometimes the database entries are
more convenient to deal with than little files if you're trying to
debug something.

Should you have a reason for an admin page that lists currently
logged-in users, fetching that info out of a database may be much
easier than looking at lots of little files.
>>>- Can I safely expect $_SERVER['REMOTE_ADDR'] to deliver an IP
address of the format xxx.xxx.xxx.xxx, or can this also be an IPV6
address or other?
If your server is on an IPv6 network, there may well not be any
IPv4 address that corresponds, so it would have to give you an IPv6
address or something useless.
>>Unlike other comments, $_SERVER['REMOTE_ADDR]' cannot be forged in a
useful manner. It comes directly from the ip header. It is also the
ip address where the response would be sent. And while theoretically
it could be forged, this requires hacking into the ip stack itself,
not just a simple script or browser change - much more complicated
than forging some of the other header values (like HTTP_REFERER). And
it's really only useful for a DOS attack.

But this can can be an IPV6 address if/when your hosting company goes
that way.
To be honest, I never understood what is the point in collecting this
value at all, it just had been there in the first sample script I got
from my first PHP teacher years ago...
The IP address and timestamp are useful in making complaints to
ISPs about their malicious users, especially when they DOS attack
you, and in making complaints to police when they use stolen credit
card numbers at your site.

Feb 8 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: mr_burns | last post by:
Hi, i am getting the following errors when running my php script: Warning: Cannot send session cookie - headers already sent by (output started at ...
3
by: bawar | last post by:
I want to put a script on my site that shows how many users are online on my site. I found one, and that is shown below. It also shows a log with the IP-addresses of those visitors. Buuut... the...
27
by: mrbog | last post by:
Tell me if my assertion is wrong here: The only way to prevent session hijacking is to NEVER store authentication information (such as name/password) in the session. Well, to never authenticate...
7
by: deko | last post by:
Why is $_SERVER returning multiple IP Addresses? Actually, I'm not sure if it's $_SERVER -- or which if/else statement -- that's the problem, but what I'm getting as a value for $visip looks...
4
by: CPD | last post by:
I can't parse $_SERVER when using the alphabetic key instead of the numeric index of the array. Below is some of the line-numbered code, followed by the corresponding output. For this posting, IP...
6
by: aabrahao | last post by:
Hi, In IIS 6, windows 2003 with php 4.3.11, the code REMOTE_ADDR does not show the IP, but the same page in apache2triad shows the IP. I tried <? $ip = getenv("REMOTE_ADDR"); print $ip; ?>...
4
by: ojorus | last post by:
Hi. I have a problem when I use the $_SERVER. I'm testing a script, and the strange thing is that remote_addr returns an ip-address only sometimes, and not always. Why can that be? Are there any...
3
by: Frank Moyles | last post by:
What is the equivalent for retrieving server side variables? For example in PHP, one such predefined variable is: $_SERVER
2
by: helraizer1 | last post by:
Hi folks, I have a file for my chatbox called data.line, which the posts are in the layout CHATBOXTEXT 7 username=helraizer 1202416953
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.