Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56660 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64057 invoked from network); 28 Nov 2011 20:52:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Nov 2011 20:52:33 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:61527] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F9/42-50663-094F3DE4 for ; Mon, 28 Nov 2011 15:52:32 -0500 Received: by ywt2 with SMTP id 2so5737698ywt.29 for ; Mon, 28 Nov 2011 12:52:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=lgXoMaLK2KXpOBGBBcJOgab7ULka4rJsuavy7cSGv9M=; b=tnNo3wGKIIJ6d6RkDlZIY4ZMQkF9IBpjF3uiLHkpU1VgEwL7UPGb8s+3bKM3aRd6IC kvNaG2iep1srjE/L+yKK+xxcPoZ4B5AKw3xQL6Vt8MeqZ/0qT4lnjdLuZgPnCEJhpsB+ Q2TmtwpRBflSZ+uitYQarfVC6FlESfr9/zXPM= Received: by 10.236.76.136 with SMTP id b8mr67529363yhe.9.1322513550182; Mon, 28 Nov 2011 12:52:30 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.100.127.18 with HTTP; Mon, 28 Nov 2011 12:51:49 -0800 (PST) In-Reply-To: References: <4EBDC283.3040700@yahoo.co.jp> <4ECC30C7.9060201@oracle.com> Date: Tue, 29 Nov 2011 05:51:49 +0900 X-Google-Sender-Auth: LP8sU9BfI_41S0eD39biOHrPvMI Message-ID: To: Hannes Magnusson , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Strict session? From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, Some users that have tested this patch asked me if it's possible deleting offending cookies that enable targeted DoS attack. https://wiki.php.net/rfc/strict_sessions I would like to add patch that deletes offending cookies which may controlled by php.ini setting. I can try to delete possible offending cookies, but recent browsers only sent outstanding cookie. Therefore, it's impossible to know if it deleted all offending cookies was successfully deleted. This feature will be best effort based feature. I think the default setting for deleting cookies should be off by default, so that users could notice configuration problems. (i.e. cookie path/domain, session name) This patch eliminates session adoption/fixation, but introduces targeted DoS as I mentioned already. Even if it may not be possible to delete all malicious cookies, but it is worthwhile to have this feature. Any comments? Hannes, I could edit the page once, but "save" button is disabled for some reason. Could you check my karma? Thank you. -- Yasuo Ohgaki yohgaki@ohgaki.net