Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120766
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91288 invoked from network); 7 Jul 2023 17:13:42 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jul 2023 17:13:42 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0E0B91804F5
	for <internals@lists.php.net>; Fri,  7 Jul 2023 10:13:42 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri,  7 Jul 2023 10:13:41 -0700 (PDT)
Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-3144098df56so2329007f8f.2
        for <internals@lists.php.net>; Fri, 07 Jul 2023 10:13:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1688750020; x=1691342020;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=AkBm2Go9JPqyDLJPLRtQSOkqqpBtQKX2zGreqFEAZ/k=;
        b=ClZbOQIvY4tOOOXz4Y89uHliIG+lniUJUJ662quFNz0OXAFwqLmqpVWDoT5lv5YbBw
         EklxnEJbD2YPH6kIVoxcWj9PMTpv4D8HhmFt2hwtPVkWnkJPqzjSoB8lz8FyOLh1jrOZ
         v8//iNGmg4qoah/ietmvXZWmseB5syekWjVzysyMUwGmmYG6IZ8Xad9FuJxPxlhn9caf
         bFDte4sV/7mTXrEAlpfCqNggyNYAdshtncOgd8ytPiXQG7cB+fBu/5f1Lc07/3B2twuP
         MXDCSczwHh5mWommm2KXSImR6VEJIbiuHRIbUnH7Stl8aIDIm1zB1/xciKczofRsG+aC
         aHIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1688750020; x=1691342020;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=AkBm2Go9JPqyDLJPLRtQSOkqqpBtQKX2zGreqFEAZ/k=;
        b=gq6KbyfYQKbKSSr1DA0ZhT7ohruuoBFWcRWGWcCyr0wUX/xROOqZhUqhAcdhhD17zR
         T2GjGQ/yRdCAd3YbqUY29CxqOPG7LUw9aCmlvK6N1/oo/xlh2Pc8FzI1+lAZiR+fKeXz
         cRlrSolSCEDSo1n3OSOh2UnjvtXP/B/I3yu2Q7Hka5DX+Q1kYagRs8Ou8lXfr+5Mk4a/
         n1r02Dp6uLX6afcwRYnIrmL+vwfgR2AtuMk3lO6mNdoFbhiIV/5kTBaAd9Qdw+iBijQc
         OgC1E8UUn+Gv0H9AyNhlew1y6KsRHK1H5+ERIl9HJBe2z2Dxht3VWhr9lm6f2s5vDkff
         6QWQ==
X-Gm-Message-State: ABy/qLYSFQg/L9S2FH0MkaTDaac4RShC/JGP2oSR7eC2b33s4tucUJuw
	qbe/ebKIwvJdY8bzKK7/lDWUNfPz366u//snjunxiTebrQI=
X-Google-Smtp-Source: APBJJlEk+DWNiDUosxR/ceUz/stfRT2V/mMn8463wfUP2D3c3neEMdM37+mR3FbZ/egZZH/1Dip6yZnHFrHfaMmCGOw=
X-Received: by 2002:a5d:6850:0:b0:313:e6f3:d05a with SMTP id
 o16-20020a5d6850000000b00313e6f3d05amr5001117wrw.16.1688750019829; Fri, 07
 Jul 2023 10:13:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAEwRQKb1_WQBKR8GJJVrPL3o3QLo=JXNemFMovGY0yFyLdUk-g@mail.gmail.com>
In-Reply-To: <CAEwRQKb1_WQBKR8GJJVrPL3o3QLo=JXNemFMovGY0yFyLdUk-g@mail.gmail.com>
Date: Fri, 7 Jul 2023 18:13:28 +0100
Message-ID: <CALKiJKptpNF4YZkhQ0kFsJRacpBmvEvXPc7OvG8iXFDnnJ3GMg@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] session_regenerate_id concurrency problems
From: rowan.collins@gmail.com (Rowan Tommins)

On 7 July 2023 01:32:39 BST, Vinicius Dias <carlosv775@gmail.com> wrote:
>The documentation page for the `session_regenerate_id`[1] function has
>the following warning:
>
>> **Warning**
>Currently, session_regenerate_id does not handle an unstable network
>well, e.g. Mobile and WiFi network.
> ...
>
>Since the documentation states that this problem exists **currently**,
>are there any plans to address it?


The original version of that note [1] was added by the same author,
Yasuo Ohgaki, as a declined RFC [2], which aimed to add various
additional security functionality to PHP's session mechanism.

The RFC seems to have mostly been declined for trying to do too much,
and generally being too complex. Some parts of it were later
introduced separately, but it seems like this particular problem
wasn't revisited; the wording in the manual may be indicating that
Yasuo hoped to do so, but that was nearly 7 years ago.

The fundamental problem is that you can't guarantee that requests and
responses will happen exactly in order: a browser might send a second
request with the old ID before it receives the first response with the
new ID, so the idea is to add a short "grace period" where both IDs
are accepted. The barrier to getting this into PHP is that currently
PHP doesn't manage any content in the session - it generates session
IDs, and uses a pluggable persistence layer to store whatever the user
asks for. The rejected RFC proposed a reserved '__PHP_SESSION__' array
inside the session to store the extra data, which on the face of it
isn't a terrible idea.

The standard cheeky open source reply therefore applies: if you think
you have a good implementation, feel free to contribute it; but
otherwise, look to a framework or library for a userland
implementation.

[1] https://github.com/php/doc-en/commit/56562880bd287b2d96519932044f911db518f2cf
[2] https://wiki.php.net/rfc/precise_session_management

Regards,
-- 
Rowan Tommins
[IMSoP]