Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69304
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56524 invoked from network); 24 Sep 2013 02:42:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Sep 2013 02:42:52 -0000
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com  
Received: from [209.85.215.46] ([209.85.215.46:59435] helo=mail-la0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 66/70-54184-92CF0425 for <internals@lists.php.net>; Mon, 23 Sep 2013 22:42:49 -0400
Received: by mail-la0-f46.google.com with SMTP id eh20so3121639lab.19
        for <internals@lists.php.net>; Mon, 23 Sep 2013 19:42:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=tP2B58FyoUQ1GUrJwEIvq/obgkyfcbx55dZEi8DcpL8=;
        b=A0xB+xjrFezY1wsoZ/Ddq+eoKTkp09T4KSJ1BBUuuVemtlQJn+7skHg5myqrNTxvGh
         zPfFuf5pv+kO8ce8MdK5cmrNpDT73vpZA0YFVZq9ECAlaRsfV1Tb+uEjAHh28OR6wMAt
         FMspSNRMn0FsyCPcu/idP0Iobn8MOcyei9XUFQHlYVFM5LZALbdITh+XW4EEGmSgKhIs
         cDjWOd8I2p5NGilHYGHHgr/9VqOTGO6c1k7MVPGds7d5esb7gGmDaynNW1EbijaSLXzC
         4MKcT9706/OW+r2QvdrUPR0aGitjRbIxZTX1QxlVgYSIlenrVgH+J9AOiZIX4RFTakut
         aDZw==
X-Received: by 10.152.36.98 with SMTP id p2mr22875872laj.14.1379990565650;
 Mon, 23 Sep 2013 19:42:45 -0700 (PDT)
MIME-Version: 1.0
Sender: laruence@gmail.com
Received: by 10.114.224.228 with HTTP; Mon, 23 Sep 2013 19:42:25 -0700 (PDT)
In-Reply-To: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
Date: Tue, 24 Sep 2013 10:42:25 +0800
X-Google-Sender-Auth: p5LewP_2b5bA_UQvwLMVwbDmf48
Message-ID: <CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: laruence@php.net (Laruence)

Hey:


On Tue, Sep 24, 2013 at 10:29 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi all,
>
> There isn't any good counter measure session hijack.
> However, we can regenerate session ID if IP address has changed.
> Hijacked users might notice that they have been logged out if session
> ID is regenerated by attackers. Therefore, users have slight chance
> to notice that they were under attack. It's not greatly effective, but
> better than nothing.
I don't think this is language concerning issue.

it could be done in user script..

thanks
>
> Although this can be implemented in user script, it would be better if
> session module supports this behavior. Better security by default
> is good thing. It requires INI, since some apps may assume session
> ID would not change.
> (I do not encourage to use session ID for CSRF protection, but
> there are such implementations, for example.)
>
> A concern is that there are growing number of browsers share
> state. I do not research these browsers behavior yet. I suppose
> session cookie (expire=0) would not be shared.
>
> Anyone has any comments on this?
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net



-- 
Laruence  Xinchen Hui
http://www.laruence.com/