Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69332 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70654 invoked from network); 25 Sep 2013 05:52:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Sep 2013 05:52:03 -0000 Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.171 as permitted sender) X-PHP-List-Original-Sender: ronabop@gmail.com X-Host-Fingerprint: 209.85.214.171 mail-ob0-f171.google.com Received: from [209.85.214.171] ([209.85.214.171:53170] helo=mail-ob0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/20-04473-20A72425 for ; Wed, 25 Sep 2013 01:52:02 -0400 Received: by mail-ob0-f171.google.com with SMTP id wm4so6162213obc.2 for ; Tue, 24 Sep 2013 22:51:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kudqk5efimEtwj9xGiiQVJof5p3eJkK+8fbmdzh2Ft0=; b=ynsjqbCoaYNs6R53ZZmPCXGoaypPgBgesisoPj+/OUINVtksgN//GDEO4K0zboAAqm qcSy+psdFmN8mJ0/B/bA1ET8X0qWwow5HH3bxX8SR5uSqP52HaDi4kAUMNMwAH6ZXvTc Rm70RXd1dy/0dTt7WkY21MHQsOWMWd8wwC+BsREwBSjn7CsEUL+1u3qPGw/EHD8Yo9DD qQnA11lyZrCj9b20rbmERa86RvsWxvPnZQC77nrCocE+1ze5sDZBKyw+xr4Hhi1xDUjT FHXa2UMWWBCIUfLkPylna/4XKo6ns+PdSSeGBy1Z0cXmySgTVMIkF7gh5s+qg68+WxyR /s7w== MIME-Version: 1.0 X-Received: by 10.60.65.227 with SMTP id a3mr28629621oet.13.1380088319760; Tue, 24 Sep 2013 22:51:59 -0700 (PDT) Received: by 10.60.141.133 with HTTP; Tue, 24 Sep 2013 22:51:59 -0700 (PDT) In-Reply-To: References: Date: Tue, 24 Sep 2013 22:51:59 -0700 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c257000ee1de04e72edad6 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: ronabop@gmail.com (Ronald Chmara) --001a11c257000ee1de04e72edad6 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Sep 24, 2013 at 8:52 PM, Yasuo Ohgaki wrote: > Hi, > On Tue, Sep 24, 2013 at 12:46 PM, Ronald Chmara wrote: > >> When you have a group of front-end termination points in a pool, proxying >> requests off to hundreds of machines for thousands of applications, tying a >> session to any IP is a headache. IMO, sessions are supposed to be tied to >> users, not any given inbound IP that can, and may, jump between different >> routers, proxies, NAT hosts, etc. > > Session is tied to specific user(browser) regardless of IP unless session > ID is hijacked. > Renewing session ID does not matter. Regenerating session ID when IP has > changed > would help users to notice session hijack. This is the sole purpose of > regenerating > session ID when IP has changed. I think only few apps do this now. > So, say you have many front ends, with load balancing, and public IP addresses. Those front-ends talk on private IP ranges to back-end machines, so the session can come in from any public IP, be proxied, and handed off. This, BTW, is not hypothetical, it's about my work with http://appfog.com. Some actual numbers to explain : Our Singapore location (for example) has 29,088 websites, with 6 incoming IP addresses talking to 27 website nodes. Regenerating session keys is a waste of CPU at that scale, as a given user's requests may jump around 6 different inbound addresses, and any number of servers. Takeaway: 1) Binding session to IP doesn't work at scale. 2) Seeing that the IP has "changed" is totally useless to detect hijacking. 3) Session libraries that are expecting state, on the internet, are fundamentally broken by design. There is no such thing as a secure http session. Ever. The protocol, by design, does not allow it. Ever. You can add layers (such as https) to make things "better", but if you want secure communication, don't use the internet. -Ronabop --001a11c257000ee1de04e72edad6--