Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101644
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28395 invoked from network); 21 Jan 2018 10:22:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jan 2018 10:22:16 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:42612] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 98/1A-12394-5D9646A5 for <internals@lists.php.net>; Sun, 21 Jan 2018 05:22:15 -0500
Received: (qmail 34022 invoked by uid 89); 21 Jan 2018 10:22:11 -0000
Received: from unknown (HELO mail-it0-f50.google.com) (yohgaki@ohgaki.net@209.85.214.50)
  by 0 with ESMTPA; 21 Jan 2018 10:22:11 -0000
Received: by mail-it0-f50.google.com with SMTP id u62so6764032ita.2
        for <internals@lists.php.net>; Sun, 21 Jan 2018 02:22:10 -0800 (PST)
X-Gm-Message-State: AKwxytfS47AntvvZ+1st3gMwAReJVbw+D9nCwDUVtuWUb42w/fae/mNG
	oZ8PCaP1ANT68ryifo0N5sZy3+7s7aX4HzRhfw==
X-Google-Smtp-Source: AH8x227cBiZQIa25lW1m6UrjAvJFzYHmpC1hgbFa+s0ITiNm0jwiZHfmWzWQT5ROuj34dQgox1ZLXZNHVA0yxK5VsZw=
X-Received: by 10.36.250.203 with SMTP id v194mr4311528ith.83.1516530125216;
 Sun, 21 Jan 2018 02:22:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.166.137 with HTTP; Sun, 21 Jan 2018 02:21:24 -0800 (PST)
In-Reply-To: <08.38.12394.386F36A5@pb1.pair.com>
References: <08.38.12394.386F36A5@pb1.pair.com>
Date: Sun, 21 Jan 2018 19:21:24 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZv5xGHV8jVbUprxE7Co19sH+2RcMmGUWzN=VKKd-OA5g@mail.gmail.com>
Message-ID: <CAGa2bXZv5xGHV8jVbUprxE7Co19sH+2RcMmGUWzN=VKKd-OA5g@mail.gmail.com>
To: Dominic Guhl <dominic.guhl@posteo.de>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c03462e67a3de056346af66"
Subject: Re: [PHP-DEV] Better Session Management by OTP encryption
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--94eb2c03462e67a3de056346af66
Content-Type: text/plain; charset="UTF-8"

Hi Dominic,

On Sun, Jan 21, 2018 at 11:10 AM, Dominic Guhl <dominic.guhl@posteo.de>
wrote:

> The PHP documentation on Session Data Deletion:
>
> > Obsolete session data must be inaccessible and deleted. Current
> session module does not handle this well.
>

Session managers must remove obsolete sessions for security reasons.
PHP session module does not handle this well.

There was RFC.

https://wiki.php.net/rfc/precise_session_management

I think those who opposed this RFC does not understand security
implications/risks
w/o this proposal.

This can be done by user code as well.
Some of people insisted this kind of feature should be implemented in
frameworks even though no frameworks did not implemented it.
It's been 5 years since the RFC is created. All of PHP frameworks
and apps should have implemented proper session management by now.

If not, we are better to implement it in the session module. IMO.

Current OWASP session management cheat sheet
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_Expiration
defines idle/absolute/renewal timeouts. PHP cannot handle any of them
properly.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--94eb2c03462e67a3de056346af66--