Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69333
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72184 invoked from network); 25 Sep 2013 05:56:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Sep 2013 05:56:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com  
Received: from [209.85.217.182] ([209.85.217.182:63827] helo=mail-lb0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 79/70-04473-81B72425 for <internals@lists.php.net>; Wed, 25 Sep 2013 01:56:41 -0400
Received: by mail-lb0-f182.google.com with SMTP id c11so4592780lbj.41
        for <internals@lists.php.net>; Tue, 24 Sep 2013 22:56:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=KH7if5mkqRED0b24gw5QpT043dALl+WoRt8eLxIOKDI=;
        b=HOvtm+f+BTnU4NBdicxOb4IkpoT+Q6I8LKbYm3hcBATlBB9flWo83Dqj4n5ZnZuEu0
         qF+igZTLFXDTc59gYF17CYUfcl6/KZ2F07Fcnn6p44txAunzbOFw7Y1S6Pu++yfrKhwi
         Squ6qfsZIDmJcsqyxnn4+f1q5uUjdN9DsF+4dU3CgawACXFz4El3x2xBdYNm1s3xxT4o
         sGdW2xMF3ZcosXr/rWe7lNYNGzRct3G77kGfYALDVf9pK+l1AqJ78DBLqQ6wPFogYItq
         6Fi6p3XNCztkKpHNbe1XgTROEYVHRT+sM3PCZ5yZrdXsT9VPkTJUWZYyJsxmcLgZl31W
         BLIw==
X-Received: by 10.112.28.109 with SMTP id a13mr27806321lbh.3.1380088597755;
 Tue, 24 Sep 2013 22:56:37 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Tue, 24 Sep 2013 22:55:57 -0700 (PDT)
In-Reply-To: <CALrkBjZNgkiSzXU86RKrLOBwKx1bQhT9oKmYiR324MGWOYWj=g@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CALrkBjZNgkiSzXU86RKrLOBwKx1bQhT9oKmYiR324MGWOYWj=g@mail.gmail.com>
Date: Wed, 25 Sep 2013 14:55:57 +0900
X-Google-Sender-Auth: dOYkUl7DgRJI9ST5HjuGxwz_JvU
Message-ID: <CAGa2bXaOKrU=UP1CENv1rb9B1bE4B7GMCaJNoiYsa3C5iA40HA@mail.gmail.com>
To: Mike Willbanks <pencap@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1133f726a0bcc904e72eeae7
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1133f726a0bcc904e72eeae7
Content-Type: text/plain; charset=UTF-8

Hi Mike,

On Wed, Sep 25, 2013 at 2:16 PM, Mike Willbanks <pencap@gmail.com> wrote:

> Each and every type of prevention measure has consequences and not only
> that but MAJOR consequences.  If you are detecting IP changes you rule out
> most if not all major proxy networks that exist.  While not first of mind;
> when handling this you can easily remove the old session without properly
> transitioning to the new.  This is an option based off of individual
> application vs. a language option or construct.  There are a ton of
> different measures that you might take based off of changes to the end user
> data.  I think this would be a poor idea in the long run due to the
> consequences that you may incur.


The more I get this kind of response, the more I feel we should
introduce this feature as session module optional feature.

Regenerating session ID should not be any problem as long as
session ID is cookie based, save handler lock session data while
it is used.

As far as I know, the only faulty save handler is mm save handler.
(I would like to implement lock in mm, but it's low priority for me.
 When TranSID is enabled, it would cause problems due to cached
 pages.)

The best practice of the session ID management is regenerating
session ID when events happen. Mandatory one is login event.
Web programmers must regenerate session ID to make sure
session safety at login.

IP address change is one of the event, even though it's not mandatory.

There is PHP framework called Piece Framework that has option
regenerate session ID for every request to achieve maximum
session ID security, for example.

If regeneration of session ID causes misbehavior, then it is a bug
including users fault.

I think if I disable this feature when TranSID on and/or expire is not 0,
then there would not be issues. Unless web programmers use session
ID for CSRF protection, etc.

Anyway, I'll start from documentation.
If there are any comments, I'll appreciate it.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1133f726a0bcc904e72eeae7--