Jared Farrish wrote:
I've asked the internals list why PHP doesn't natively validate the
session ID by using the user agent or other variables because I actually
don't know the reasoning behind it. I'll let you know what they say.
I would think it's because browsers are flaky and you can't really rely on
them, and that means you can't build it into the system check.
I'm not sure how much closer to the horses mouth I can get...
http://marc.info/?l=php-dev&m=118046750523448&w=2
That's the definition of a session. It's a server-side store of data
related to a single user of a web application.
I think this is another reason why the internals don't support
authentication of sessions. Is it up to a session to authenticate itself?
Should it be? What if you wanted to override that behavior?
Seeing as how the session functionality is provided through an
extension, overriding it is simplicity itself. Plus there is already a
way to implement a session handler in user space.
I don't mind "this is standard practice," but EXPLAIN what you mean. What
standard practice?
I'm sorry, I had assumed you knew how PHP sessions work. When a session
is created it is assigned a unique ID. That ID is transported between
the client and the server on each request. The server uses that ID to
identify which session it is, get the data and make it available to the
scripts.
I have to admit that some of this back-and-forth comes from my desire to
get
what I want out of your responses, which I know is probably a little
frustrating. How do people who know little about PHP know what session best
practices are, spelled out? I'm not a noob, but I've still learned a good
deal from your responses that I didn't know before. What about the OP?
If there's anything you want me to go into in more detail please just
ask. I certainly don't think I know it all, but I've been around this
block more than a few times. On the other hand I'm always open to the
possiblity that there's a better way(tm).
In all reality, I actually agree with you about sessions in my
heart-of-hearts (maybe a little more now after this thread), as they are
the
simplest to implement, and the checks performed on authentication are as
robust as any involving cookies (which can become hopelessly bogged down in
checks, digests, and rechecks), although I posit the SAME thing can be
achieved with instances of cookies. However, simplicity should be the
operative word, and the complexity of the approach I have described is more
than a little troublesome.
The same "functionality" can be achieved with cookies, just like the
functionality of a calculator can be achieved with an abacus.
I appreciate that you posted the historical information on sessions and
cookies. Whether it's accurate to reality, I don't know, but it makes
sense,
not lemons, so for now, it's good enough for me!
It was definitely abridged, but that's the jist of how sessions evolved.
p.s. Maybe everyone wasn't around when that history occurred...
Don't throw your youth at me, it's unlikely to help.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
