Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69331 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67889 invoked from network); 25 Sep 2013 05:16:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Sep 2013 05:16:58 -0000 Authentication-Results: pb1.pair.com header.from=pencap@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pencap@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.41 as permitted sender) X-PHP-List-Original-Sender: pencap@gmail.com X-Host-Fingerprint: 209.85.212.41 mail-vb0-f41.google.com Received: from [209.85.212.41] ([209.85.212.41:40652] helo=mail-vb0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/20-01497-9C172425 for ; Wed, 25 Sep 2013 01:16:58 -0400 Received: by mail-vb0-f41.google.com with SMTP id g17so4183956vbg.0 for ; Tue, 24 Sep 2013 22:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YWTZUfj++Hr4dQE6bqEGwa+f/k2rn5+zSiSd/lE+xCA=; b=UKeBAwyyXBt96eFsVXv4zf9aSQAjNkPbqOzK2zAgOk1+Y4mp83XYTv0NsVfACIzK/i qoFsC/jrNZfYImrlX36Xi7lrIQ1AI29I2z3ufzYqGE3q8Jer2svdr5qnKTZVj759rLwc dWtzESvPDz+ZCHWioAGG7EfYDTSL7Joskkk498ZYISGGngEkzpXB/zMhEVSbVmezgAW+ wnTI/z05aRdukYjnovpJ/k/NgT1wtrZY/JlJN63Ws3T7Unah99GqsYZ8WWi1oo3PrgDf azliiKyoOcvKQRK7lDTc0a8+Ci6LjM40ZgTLzA3M9NN3I5GhSi/h8hMX9jSymHCl1lhG VSUw== MIME-Version: 1.0 X-Received: by 10.52.230.35 with SMTP id sv3mr9042153vdc.27.1380086214154; Tue, 24 Sep 2013 22:16:54 -0700 (PDT) Received: by 10.58.39.234 with HTTP; Tue, 24 Sep 2013 22:16:54 -0700 (PDT) In-Reply-To: References: Date: Tue, 24 Sep 2013 22:16:54 -0700 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0102fe6e8de0dc04e72e5cc2 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: pencap@gmail.com (Mike Willbanks) --089e0102fe6e8de0dc04e72e5cc2 Content-Type: text/plain; charset=UTF-8 On Mon, Sep 23, 2013 at 7:29 PM, Yasuo Ohgaki wrote: > Hi all, > > There isn't any good counter measure session hijack. > However, we can regenerate session ID if IP address has changed. > Hijacked users might notice that they have been logged out if session > ID is regenerated by attackers. Therefore, users have slight chance > to notice that they were under attack. It's not greatly effective, but > better than nothing. > > Although this can be implemented in user script, it would be better if > session module supports this behavior. Better security by default > is good thing. It requires INI, since some apps may assume session > ID would not change. > (I do not encourage to use session ID for CSRF protection, but > there are such implementations, for example.) > > A concern is that there are growing number of browsers share > state. I do not research these browsers behavior yet. I suppose > session cookie (expire=0) would not be shared. > > Anyone has any comments on this? > Each and every type of prevention measure has consequences and not only that but MAJOR consequences. If you are detecting IP changes you rule out most if not all major proxy networks that exist. While not first of mind; when handling this you can easily remove the old session without properly transitioning to the new. This is an option based off of individual application vs. a language option or construct. There are a ton of different measures that you might take based off of changes to the end user data. I think this would be a poor idea in the long run due to the consequences that you may incur. --089e0102fe6e8de0dc04e72e5cc2--