[RCD] Session Class Questions

stephane martin stef.martin at gmail.com
Thu Sep 12 02:24:57 CEST 2013


Afaik that's the usual technique against session theft in php. Lot of php
apps look the same.

Stephane
Le 11 sept. 2013 23:13, "Rodrigo Castillo" <rodrigo at corp.sonic.net> a
écrit :

> I'm exploring the rcmail_session class to hunt down some intermittent
> issues with untimely session expiration, and to develop a better
> remember_me extension (or attempt to get it into core...).
>
> I came across the following code
>
> ...
>      /**
>      * Setter for session lifetime
>      */
>     public function set_lifetime($lifetime)
>     {
>         $this->lifetime = max(120, $lifetime);
>
>         // valid time range is now - 1/2 lifetime to now + 1/2 lifetime
>         $now = time();
>         $this->now = $now - ($now % ($this->lifetime / 2));
>     }
> ...
>     /**
>
>      * Create session cookie from session data
>      *
>      * @param int Time slot to use
>      */
>     function _mkcookie($timeslot)
>     {
>         $auth_string = "$this->key,$this->secret,$**timeslot";
>         return "S" . (function_exists('sha1') ? sha1($auth_string) :
> md5($auth_string));
>     }
> ...
>     /**
>      * Check session authentication cookie
>      *
>      * @return boolean True if valid, False if not
>      */
>     function check_auth()
>     {
> ...
>         if ($result && $this->_mkcookie($this->now) != $this->cookie) {
> ...
>     }
>
> It's quite deliberate, and it made me curious as to the reasoning behind
> the decision not to simply include a 'created_at' and 'expires_at' within
> the cookie, which would simplify the validation of the timespan. Is the
> reason for security, or perhaps a load-balancing?
> ______________________________**_________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/**mailman/listinfo/dev<http://lists.roundcube.net/mailman/listinfo/dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20130912/66ebc370/attachment-0001.html>


More information about the dev mailing list