Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117751
Return-Path: <devnexen@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11436 invoked from network); 18 May 2022 18:56:46 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 May 2022 18:56:46 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0B148180384
	for <internals@lists.php.net>; Wed, 18 May 2022 13:37:36 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <devnexen@gmail.com>
Received: from mail-oa1-f46.google.com (mail-oa1-f46.google.com [209.85.160.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 18 May 2022 13:37:35 -0700 (PDT)
Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-f1d2ea701dso4234454fac.10
        for <internals@lists.php.net>; Wed, 18 May 2022 13:37:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=lmmN38o6NQUlgdqsTR/bMSh7AcrulyhP8lFUVngVH3g=;
        b=qH+FBFNtouNFvJRv8q6bLIWWTMvMkxYfjSULXqvKgQOQmQYmRUB3cIQj/1xp9hnbll
         W2+9D0s/4elf9mqRY43/ikcw8j6dJjQf+7066l4h/OoVCMb/BUvuDPJrD+mzSMkhjHsk
         RvzFjf0uKtmiSD0N0run4r3Rowdf2ORiYXZe7DrLKhRXxTaV1s7WZZ7YNGsS726qoXEN
         nYHNHGUtqv/UyfdNHCo1aCv0VqDOqzcLzSJ6A7qkZFHkd/YVx5u2R51o+oB++A1OLwMU
         QnCo5zPnTtOeHO9VWoYPJtgx2ePn36nO+bvZ0aV1qSERuafZKnEIcnDywrr2q2xrmI5W
         D6Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=lmmN38o6NQUlgdqsTR/bMSh7AcrulyhP8lFUVngVH3g=;
        b=R0U01TIsLdritehUwWd6eoPferFzxv4liSv2Ln4GvGo5geEdHl9mUoruBbJB1S8oE/
         TkN1E6VZGLIXoeVzVgpAXujbnH1b2mYv8FhmnvdrhP4V2208J0PfuCozstQO1JdSLes/
         Lf6PLoCWHQLVIoXunvzPzQ7SVOsM+XzqRJujp0Qcweylx8zHffqer0F2749P9oecuZRn
         aEw4OjIBBXOcB+Pw7EKOaXmmDHao2rLafDBuOmyfVQOvXR45tQpbaKtQzh0DZMMPjO53
         nbb/Rq5uqU4v+VDX3SwhdaQrMsmkK1ZJC0KgTLQBKPBvKzzN43u9dN5lF+y3DRRfa4sh
         1Zuw==
X-Gm-Message-State: AOAM533nQitZFWUo5w134+Jgil6q+Vh5HzSGSW4hCJL5gAtDVgCOCdxZ
	I4JdZNuQsPnpY7yxr2bQ5YY/ttOEnR+IW6XEMJA=
X-Google-Smtp-Source: ABdhPJzcZp/nE6SSekzKnhVG9pQ855nbNzRX0wyshjmHmDYYgRUPY+slmWtAEt1u4GbAw0tsugMsywJ6uA4EDPWeDmI=
X-Received: by 2002:a05:6870:11c1:b0:e6:dca:5fdc with SMTP id
 1-20020a05687011c100b000e60dca5fdcmr1141588oav.280.1652906254957; Wed, 18 May
 2022 13:37:34 -0700 (PDT)
MIME-Version: 1.0
References: <CA+XhMqw0YmvwXh_pyQgFZcWC1kO7yBrF5pkAhSzB_eHbABFnUw@mail.gmail.com>
 <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com>
 <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk> <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com>
 <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk> <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de>
In-Reply-To: <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de>
Date: Wed, 18 May 2022 21:37:23 +0100
Message-ID: <CA+XhMqzQ5KgAMM8CfmbVE8UDQWdy9o-LWY8PtGPC4v+qu_o_8w@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: Craig Francis <craig@craigfrancis.co.uk>, Mark Randall <marandall@php.net>, internals@lists.php.net
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Early feedback on encrypted session PR
From: devnexen@gmail.com (David CARLIER)

Thanks all for the early feedback.

So it is an attempt to mitigate tampering attacks basically on session
stored on filesystems. So it appears to be a subset of session usage
overall indeed but
doing so in a native manner is what drove the PR.

On Wed, 18 May 2022 at 18:43, Christoph M. Becker <cmbecker69@gmx.de> wrote=
:
>
> On 18.05.2022 at 18:37, Craig Francis wrote:
>
> > On 18 May 2022, at 17:02, Mark Randall <marandall@php.net> wrote:
> >
> >> Personally I usually just throw the session key through a one-way hash=
 so the original session ID never gets written to a backing store.
> >
> > Good idea, but that's not done by default.
>
> But also not by the PR, as I understand it.
>
> >> I'm not sure why reversible encryption needs to take place?
> >
> > It might provide privacy (if the attacker can read the session files, a=
nd they contain sensitive information, e.g. some developers store a copy of=
 the users entire record in the session to avoid db lookups)... and it migh=
t prevent edits being made to the session file.
>
> It is already possible to write an own SessionHandler which
> encrypts/decrypts the session payload.  That said, I'm not against
> adding an encryption option.
>
> > I would hope both are very rare, but I'm still writing up reports about=
 developers doing things like `file_put_contents('/tmp/' . $_POST['id'], $_=
POST['message'])`, so I don't have a lot of hope.
>
> Right.  And no amount of magic features implemented by a language or
> library will prevent such issues completely.  It might not have been the
> best idea to make PHP so beginner friendly.
>
> --
> Christoph M. Becker
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>