Discussion:
list sessions
Sigurd Nes
2008-07-13 21:14:51 UTC
Permalink
Hi all,

The new session handler in trunk have all necessary meta-data about the session
embedded in the session itself.

If suhosin - the Hardened-PHP Project is enabled - the session data is encrypted
and the list sessions feature can not be used.

I think the list session is useful for tracking users in case of remote problem
solving.

How about re-enabling the meta information un-encrypted outside the session data
so it is available to the list session ?

This also affects the count of current users.

Regards

Sigurd
Dave Hall
2008-07-14 13:05:48 UTC
Permalink
Post by Sigurd Nes
Hi all,
The new session handler in trunk have all necessary meta-data about the session
embedded in the session itself.
If suhosin - the Hardened-PHP Project is enabled - the session data is encrypted
and the list sessions feature can not be used.
I think the list session is useful for tracking users in case of remote problem
solving.
How about re-enabling the meta information un-encrypted outside the session data
so it is available to the list session ?
This also affects the count of current users.
Security always comes at a cost.

If people really need this functionality it can be documented and those
users can either disable suhosin or use db sessions. I fail to see what
benefit it brings for the overhead involved.

btw you can get the current session count by using a unique path for
storing the session files.

Cheers

Dave
Sigurd Nes
2008-07-14 17:46:50 UTC
Permalink
Post by Dave Hall
Post by Sigurd Nes
Hi all,
The new session handler in trunk have all necessary meta-data about the session
embedded in the session itself.
If suhosin - the Hardened-PHP Project is enabled - the session data is encrypted
and the list sessions feature can not be used.
I think the list session is useful for tracking users in case of remote problem
solving.
How about re-enabling the meta information un-encrypted outside the session data
so it is available to the list session ?
This also affects the count of current users.
Security always comes at a cost.
If people really need this functionality it can be documented and those
users can either disable suhosin or use db sessions. I fail to see what
benefit it brings for the overhead involved.
Only choice is to disable suhosin as db-sessions are encrypted as well.

To have the (old) fields as lid, action and logintime is very cheap - don't
think it is noticeable at all as it is only accessed twice per page view.
Post by Dave Hall
btw you can get the current session count by using a unique path for
storing the session files.
Regards

Sigurd

Loading...