Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69303
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54568 invoked from network); 24 Sep 2013 02:30:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Sep 2013 02:30:10 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com  
Received: from [209.85.217.173] ([209.85.217.173:40699] helo=mail-lb0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8A/00-54184-039F0425 for <internals@lists.php.net>; Mon, 23 Sep 2013 22:30:09 -0400
Received: by mail-lb0-f173.google.com with SMTP id o14so3357463lbi.32
        for <internals@lists.php.net>; Mon, 23 Sep 2013 19:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=VqTZCTCHrW9cKa70Jha1vJc6H9LCZvZoS/ywqYnrrlc=;
        b=yL9oN5E27mTV/w0AALgCPFHKz9LsnI/0cQsIWHG1FFLPu/QwXXYr2oyFrjpRW3PPY9
         5r9mCP6BMaopzu/oqmBaIEYoFhOJ8dqjB3in9o5EFAgFZZwWPXwPQ6YB2Bm1vpFnBrrz
         r2OR2CJjwQcUprSOx8EFa3NRRvEWj/CM9MMbuBbETtsuznvM9b0LQ77EjbyxSNSEtQWc
         QQWf+q5AOvgJLHOuAzB4UwYdqQb1HZR4YmgKg9WmUBd4YP0VhrcDxKngGAy/KAGxzTWy
         cwzlzA/4FiZgMfyJSXOWunaNYpapbMzJgKnlnTJzAsQFlvRgVcmWo2bCInBWU1FVMm1J
         xGVQ==
X-Received: by 10.112.149.197 with SMTP id uc5mr21934805lbb.19.1379989805365;
 Mon, 23 Sep 2013 19:30:05 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Mon, 23 Sep 2013 19:29:25 -0700 (PDT)
Date: Tue, 24 Sep 2013 11:29:25 +0900
X-Google-Sender-Auth: isPQsLHDjNVpgubw2zjrXk5pOp8
Message-ID: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b343cd22481cb04e717ea19
Subject: Regenerating session ID automatically when IP address has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--047d7b343cd22481cb04e717ea19
Content-Type: text/plain; charset=UTF-8

Hi all,

There isn't any good counter measure session hijack.
However, we can regenerate session ID if IP address has changed.
Hijacked users might notice that they have been logged out if session
ID is regenerated by attackers. Therefore, users have slight chance
to notice that they were under attack. It's not greatly effective, but
better than nothing.

Although this can be implemented in user script, it would be better if
session module supports this behavior. Better security by default
is good thing. It requires INI, since some apps may assume session
ID would not change.
(I do not encourage to use session ID for CSRF protection, but
there are such implementations, for example.)

A concern is that there are growing number of browsers share
state. I do not research these browsers behavior yet. I suppose
session cookie (expire=0) would not be shared.

Anyone has any comments on this?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--047d7b343cd22481cb04e717ea19--