Yeah, I learned this in 1999. Back then, AOL was the single biggest ISP in the world, and AOL users came through some kind of proxy server that made every hit come from a different IP address.
Locking a session to an IP does make it harder to hijack sessions, but people today expect to put their laptop to sleep, go to a coffee shop, wake it up and keepin using their apps.
I’m not a fan of language session mechanisms: it’s easy to build an application that works 80% right, but getting the next 10% right (that you can get right with sessions) involves learning about the sausage-making that’s going on under the session (both the web tech and the particular mistakes made in that particular session implementation.)
Getting the last 10% working right is generally a matter of giving up on the session mechanism: it turns out that sessions don’t have ~quite~ correct semantics for most of the things people want to do with them.
For instance, session-based shopping carts erase themselves all the time without leaving any trace. Mom and pop e-commerce sites often lose between 50-90% of the shopping carts because of session glitches and, because sessions are kept in RAM, have no evidence of this. People will say “we can’t afford to do it right”, but it seems they can afford to lose 50%-90% of their sales…
Yeah, I learned this in 1999. Back then, AOL was the single biggest ISP in the world, and AOL users came through some kind of proxy server that made every hit come from a different IP address.
Locking a session to an IP does make it harder to hijack sessions, but people today expect to put their laptop to sleep, go to a coffee shop, wake it up and keepin using their apps.
I’m not a fan of language session mechanisms: it’s easy to build an application that works 80% right, but getting the next 10% right (that you can get right with sessions) involves learning about the sausage-making that’s going on under the session (both the web tech and the particular mistakes made in that particular session implementation.)
Getting the last 10% working right is generally a matter of giving up on the session mechanism: it turns out that sessions don’t have ~quite~ correct semantics for most of the things people want to do with them.
For instance, session-based shopping carts erase themselves all the time without leaving any trace. Mom and pop e-commerce sites often lose between 50-90% of the shopping carts because of session glitches and, because sessions are kept in RAM, have no evidence of this. People will say “we can’t afford to do it right”, but it seems they can afford to lose 50%-90% of their sales…
Hi Amit,
I found your article after searching spending 8hours on the web looking for answers about this session timeout issue on our site.
Can you help us to disable this IP address check in joomla? is it possible?
Thanks,
@mark without modifying the joomla core files, it is not possible to disable the IP address check in joomla. Do you really want to change that?
@Amit
Yap i want to change that. Are there any issues afterwards?
@mark it will make it difficult for you to upgrade Joomla in future and may slightly weaken the security.
I think if you want it you can make the changes in the sql query where it checks for IP address