Can't we just store sessions per IP address? (Didn't we already have this discussion..?)
And I don't understand that confusing page, really -- what exactly does it do in reality?
And shouldn't this be a private topic?
And PHPSESSID -- can't we just get away by changing the var name?
- If PHPSESSID being 'guessable' is the problem, then it's also a problem when it's stored in a cookie. Meaning, we can't have guest sessions AT ALL. Of course I'm not sure at which point we're using sessions for guests, but still..?!
- Guest count is important to me, although I agree that it's unreliable at best (if only because there are countless unnamed bots over the web.) But I can already see people saying, "ever since I installed Wedge, my forum's visit count has dropped by 1857%! This is an outrage to SEO gods!"
- And yes, I have this annoying tendency to forget about earlier topics... So many things we discussed in the past. So many features/ideas we decided to implement, but none of us added it to a to-do-list, and it gets forgotten forever etc...
If session ids are guessable, and can be brute-forced, they can be brute-forced for session spoofing. Delivery method of that makes no difference.
As far as using sessions for guests, the answer currently is all the time. Every request either creates a new session or perpetuates an existing one, with the intent to try and get an idea of the number of 'unique' browsers.
Anyone who really cares is going to install an analytics package anyway, which is probably more reliable than Wedge doing it itself,
OTOH, anything with a ID less than 2 million bytes long will be guessable by brute force... It's just that something was discovered that makes it faster to brute force.
So, the alternative would be..? Storing a log of all recent guest requests, along with IP and requested URL? Otherwise, what are we gonna show in whosonline..?
I do care (a bit) about stats, I check them at least every once in a while (like, 6-7 times a year), and yet if I suddenly found myself without any non-member stats, I'd be quite upset...
it's okay for websites that sell you something, I guess, but we're talking about a forum system... GA will only make it slower.
Brute forcing a couple of billion combinations is sufficiently big it's going to be noticed. But if you can do a much smaller number of requests and be able to understand how mt_rand is going to be seeded, you can access sessions with a much, much lower number of hits, probably enough it's going to get under most radars.
Which is the sticking point of the argument. I do not believe who's online is actually that useful for guests,
But the thing is, once you get a forum up and running... Are you spending your time checking for weird session behavior? I would bet not...
Well, it's useful for me: (1) spotting what could be a bot
(2) spotting links that shouldn't be accessible to guests and yet are being accessed,
(3) generally determining whether my host is cutting my access because I have too many regular users (like, was I mentioned on a high-profile blog?)
Well, I'm certainly accessing the Who's page more often than the intrusion log.
At minimum I usually have four to six servers handling request. I also wonder how these sessions work in this setup. Is there some sort of syncing going on between them that they somehow look like one system.
No matter, it looks like session ids are predictable. What does this actually mean being able to guess a session?
Thinking about hijacking sessions even if your able to spoof another networks IP address the server isn't going to send you anything back and plus you don't have a cookie.
Can't you just check the IP address and see if it matches the one in the session
but maybe you can ignore the session information and create a new one like if they didn't have a session to begin with.
I'm not sure, though, whether the same risk is also applicable to session_id() or not, if it is there's a much bigger problem.
That's what I mean. If someone brute-forces in the manner you're thinking, they're going to generate an obscene number of requests and even the most inept host is going to notice that. But with this technique, session stealing is potentially within the region of requests where hosts may or may not notice it.
For the second time... no.Quote Can't you just check the IP address and see if it matches the one in the session
Take one IP address, a couple of time stamps, md5 the lot. Now please tell me how you extract the IP address from this.
For the second time... no.
Take one IP address, a couple of time stamps, md5 the lot. Now please tell me how you extract the IP address from this.
- We don't give a damn about guests having their PHPSESSID stolen, of course.
- Can you quote a single case where someone would change their IP all of a sudden while browsing? It would definitely disrupt more than one site...
- How 'bout accepting an IP change in the same range?
- And if we provide this as an option, disabled by default, it's a win-win situation...
| 1. | I'm not talking about crabs, you naughty naughty boy! |
- Range can even be country-based...
Since most spammers are from a different country than the 'expected one', it could be an okay solution. After all, do you know of many people who would move to another continent while their session is opened..?
Thing is, you tend to go a bit much these days for what seems to have become your favorite Wargames quote
That's all I'm saying... An option, disabled by default ;)
(Removing the ban system? You mean the IP ban system, right...?)