Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69306 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60871 invoked from network); 24 Sep 2013 03:46:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Sep 2013 03:46:50 -0000 Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.182 as permitted sender) X-PHP-List-Original-Sender: ronabop@gmail.com X-Host-Fingerprint: 209.85.214.182 mail-ob0-f182.google.com Received: from [209.85.214.182] ([209.85.214.182:37122] helo=mail-ob0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 96/00-60655-92B01425 for ; Mon, 23 Sep 2013 23:46:49 -0400 Received: by mail-ob0-f182.google.com with SMTP id wo20so4489606obc.27 for ; Mon, 23 Sep 2013 20:46:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ef9202N8aETfY/SspsxDvpX2UaKsQl4PR1kPMqzTYP0=; b=WruaSEaAhwfVaizDC6ZiIjHufmyuUwg6UWpEq4Iyz0cbU6ARKUnYb0nD7B58210frs xD9+Y4+QOxxDJd4fEvw09iXd7OwRLdKvtz5sz3YzJddgrCBKnU3cRnWT+iBhxZQCzDk8 fyvjk+0XEYvoioBuAT1bd7WHXoHhUCGHDxmwWM4rZN86A41DlMECMVCJC1k7X1YOKdI3 KL/T/6enL4DfrOBq6nQEtCMyPLohnauuM89xHQS0PeBoNm0QT4FCB3J/OhJwfywD04g6 DHrvrShpkVr+iVxEWA5mom5d3P9eDkrwcjloY3UpoXFTjQBveYoJUBtSXaTJXQ+mtqYh loDw== MIME-Version: 1.0 X-Received: by 10.60.132.178 with SMTP id ov18mr5293694oeb.39.1379994406547; Mon, 23 Sep 2013 20:46:46 -0700 (PDT) Received: by 10.60.141.133 with HTTP; Mon, 23 Sep 2013 20:46:46 -0700 (PDT) In-Reply-To: References: Date: Mon, 23 Sep 2013 20:46:46 -0700 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b47215e64f7c504e718fc7a Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: ronabop@gmail.com (Ronald Chmara) --047d7b47215e64f7c504e718fc7a Content-Type: text/plain; charset=ISO-8859-1 When you have a group of front-end termination points in a pool, proxying requests off to hundreds of machines for thousands of applications, tying a session to any IP is a headache. IMO, sessions are supposed to be tied to users, not any given inbound IP that can, and may, jump between different routers, proxies, NAT hosts, etc. -Ronabop On Mon, Sep 23, 2013 at 7:29 PM, Yasuo Ohgaki wrote: > Hi all, > > There isn't any good counter measure session hijack. > However, we can regenerate session ID if IP address has changed. > Hijacked users might notice that they have been logged out if session > ID is regenerated by attackers. Therefore, users have slight chance > to notice that they were under attack. It's not greatly effective, but > better than nothing. > > Although this can be implemented in user script, it would be better if > session module supports this behavior. Better security by default > is good thing. It requires INI, since some apps may assume session > ID would not change. > (I do not encourage to use session ID for CSRF protection, but > there are such implementations, for example.) > > A concern is that there are growing number of browsers share > state. I do not research these browsers behavior yet. I suppose > session cookie (expire=0) would not be shared. > > Anyone has any comments on this? > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > --047d7b47215e64f7c504e718fc7a--