Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117748
Return-Path: <eric@eamann.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3927 invoked from network); 18 May 2022 17:22:51 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 May 2022 17:22:51 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A170A180084
	for <internals@lists.php.net>; Wed, 18 May 2022 12:03:39 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_FAIL,
	SPF_PASS,T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS16509 52.24.0.0/14
X-Spam-Virus: No
X-Envelope-From: <eric@eamann.com>
Received: from box.sixthree.me (box.sixthree.me [52.24.245.86])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 18 May 2022 12:03:38 -0700 (PDT)
Received: from authenticated-user (box.sixthree.me [52.24.245.86])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
	(No client certificate requested)
	by box.sixthree.me (Postfix) with ESMTPSA id CE1CE7D64B
	for <internals@lists.php.net>; Wed, 18 May 2022 12:03:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eamann.com; s=mail;
	t=1652900617; bh=rx9ZR3KYeu7iN9CAVdeIRZDh3rCZNiX1cFDd+GhvHIg=;
	h=Date:To:References:From:Subject:In-Reply-To:From;
	b=HPfjq7on2lBbB7aNpYNIjOX4dWzgAU7tIrmZbBn8LnP413LOGfJCGri0OroMpA+We
	 1x2fq90cz/7IikyoRH3Equ88d9VU/Km89nJGueWyD+/qj6yI70dsP/AkYHdtcLiyek
	 VCcKQV+b35+wKV/uoloOumKnMSjM2hdevWFnjSmiHuHfZbusg+YpQohvL0wP003tiO
	 d6zF+08nQSbktCHjhmg3Ktu866uH/G19/8y2aW0eiMa3yd5HkR4KML1sqrAv5L+CDL
	 rRGUaaDh3bxEm2Cnhk6pW+XY35d5c0ugbAeT9vvjwc8/W+o31IQNjRg2Ty3yeAYsXf
	 6UWvLvA4CinEA==
Content-Type: multipart/alternative;
 boundary="------------cdAR6VhRYidhX0bSEy6o4Qxe"
Message-ID: <846553a9-edd7-1696-9755-a6660ffe5d66@eamann.com>
Date: Wed, 18 May 2022 12:03:37 -0700
MIME-Version: 1.0
Content-Language: en-US
To: internals@lists.php.net
References: <CA+XhMqw0YmvwXh_pyQgFZcWC1kO7yBrF5pkAhSzB_eHbABFnUw@mail.gmail.com>
 <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com>
 <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk>
 <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com>
 <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk>
 <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de>
Reply-To: Eric Mann <eric@eamann.com>
In-Reply-To: <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de>
Subject: Re: [PHP-DEV] Early feedback on encrypted session PR
From: internals@lists.php.net ("Eric Mann via internals")

--------------cdAR6VhRYidhX0bSEy6o4Qxe
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

I'm not sure I'm a fan of the PR as it stands, but the idea of 
encrypting session data - definitely.

When sessions are stored on disk, that data is plainly visible by anyone 
(or any process) with read access to that disk. If they're cached 
instead in a DB or an in-memory system like Memcached, the same rules 
apply - anyone else who can read data from that system can read what's 
stored in the session. That being said, how much you care about this 
level of access depends very much on your threat model. If sessions are 
storing data like upvotes or view counts, this information likely isn't 
sensitive enough to worry about whether or not things are encrypted.

If you're storing customer PII in a session, though, then protecting 
this data "at rest" in your session store becomes critical.

> It is already possible to write an own SessionHandler which
> encrypts/decrypts the session payload.  That said, I'm not against
> adding an encryption option.

This is 100% the route I've taken in the past. 
https://github.com/ericmann/sessionz (which I admit needs some updates) 
includes one example SessionHandler implementation that does just that. 
However, it would be fantastic to see this as part of the standard 
library. Session management in PHP can be tricky, particularly in larger 
applications with multiple entry/return points. A standard (read: 
simplified) implementation would go a long way.

-- 
Security Principles for PHP Applications 
<https://www.phparch.com/books/security-principles-for-php-applications/>
*Eric Mann
* Tekton
*PGP:*0x63F15A9B715376CA <https://keybase.io/eamann>
*P:*503.925.6266
*E:*eric@eamann.com
eamann.com <https://eamann.com>
ttmm.io <https://ttmm.io>
Twitter icon <https://twitter.com/ericmann> LinkedIn icon 
<https://www.linkedin.com/in/ericallenmann/>

--------------cdAR6VhRYidhX0bSEy6o4Qxe--