Wedge

You can always save it in the session vars. :whistle:

Not in Wedge you can't.

So what about the php build in session_regenerate_id() funktion?


Perhaps not the perfect solution but it will be more difficult to fix an session.


What do you think?

I already actually hinted at this in my thoughts above. The session id is still generated in the same manner and is thus still vulnerable.

There are certain actions that already call session_regenerate_id() exactly as it should (logging in, logging out, admin validation) but there's only so frequently you can call it before things get messy and you end up with session timeouts.

Going to play dumb here...

- We have the last login IP in the members table
- We have an associated PHPSESSID, right...? (If not, we can record it.)
- We know that some people might want to break the ID... But they don't have the same IP. Why not force IP changes to confirm the password or something?

Sometimes poeple have the same IP:
like Proxys and Networks (AOL)...

^^ This. The IP should not be trusted for any such thing.

The best one is for intranets where potentially every user has the same IP address.

Still reduces chances of session hijacking by 99%...
We don't need a solution for everything. We just need stuff that helps.

Using IP binding might stop 99% of session hijacks. It also just happens to screw up a significant proportion of legitimate users too, enough that you don't want to have to deal with the 'it's broken' support reports.

Why would they be screwed I we just ask them to confirm their password, like in the admin area?

Because you'll have users whose IP changes pretty much every request. Which means every other page they see will be a password confirmation one... yay.

Then you'll get complaints of 'it's not remembering my password', which means people will be throwing bugs left and right when it's working entirely as designed, but that doesn't mean it's the *right* design.

Again, you party pooper :P

- We don't give a damn about guests having their PHPSESSID stolen, of course.
- There remains the issue with members...
- Can you quote a single case where someone would change their IP all of a sudden while browsing? It would definitely disrupt more than one site...
- How 'bout accepting an IP change in the same range?
- And if we provide this as an option, disabled by default, it's a win-win situation...

Correct.AOL users. Mobile users. People intentionally changing their IP address to fool stupid proxy blockers or some types of ban.Depends on the range. Some of the above need different sizes of range to others.I don't think it is a win-win situation. There are enough people that mess around with harmless settings in SMF and cause trouble and need support. Give them something that could potentially lock them out, that they can only fix by phpMyAdmin? No chance.

- Range can even be country-based... (Or continent-based if you want. I already rewrote the list of all these IP ranges a couple of months ago for the IP tracker page, we could reuse that for IPv4 IPs!)
Since most spammers are from a different country than the 'expected one', it could be an okay solution. After all, do you know of many people who would move to another continent while their session is opened..? :P

- Thing is, you tend to go a bit much these days for what seems to have become your favorite Wargames quote (and yes it's also one of my cult movies :P), I'm sure you know what quote I mean, but if we keep deciding not to do something, we'll just end up doing nothing at all... SMF died out for years because people were too afraid to rework it!

I'll whip up a quote of my own then...
It's better to have coded and gotten bugs[1], than never to have coded at all.

:edit: Oh come on, that oneat least warrants a Like! :P

1.	I'm not talking about crabs, you naughty naughty boy!