Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69343
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1668 invoked from network); 26 Sep 2013 09:08:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2013 09:08:05 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.177 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.216.177 mail-qc0-f177.google.com  
Received: from [209.85.216.177] ([209.85.216.177:45922] helo=mail-qc0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 30/1A-46303-279F3425 for <internals@lists.php.net>; Thu, 26 Sep 2013 05:08:02 -0400
Received: by mail-qc0-f177.google.com with SMTP id x12so547834qcv.36
        for <internals@lists.php.net>; Thu, 26 Sep 2013 02:07:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=SzS1fSt5vxDI1LTpapZjdieCr5ZBIdH8TQJF5PKL9vo=;
        b=gkSKO2bvC5RZR8adVb0+6ApXiYcPdp3710VaMb84qPwasePsmS5bfhwfi52vsvMAeN
         q8KczMW1pflBdkZ76S+FVWSG0wbW5KTwdO5Uf/E0ZZlBr8fRmG0v1ySwEJnjBi1391Wd
         AyCj+mBgv+fhAbgrAworrwzl2tLVjHFafNcZWnMVjYZwJr5P3Kv1iktdLP0fKlDPmN85
         sHc4q/ULImr+5GGLfar1BHPPuTpQSrqNzS28fL7R3dtszJv5O9ba3yjQcTIRfQnNT3uu
         T/3pH++/DYcYiRKdctdEIOtfUt8XzhHoIBCUXCplF1nSILnVv78R02sX7mBu1sjZNbOC
         Ys6A==
MIME-Version: 1.0
X-Received: by 10.49.59.44 with SMTP id w12mr8039954qeq.57.1380186479849; Thu,
 26 Sep 2013 02:07:59 -0700 (PDT)
Received: by 10.140.22.71 with HTTP; Thu, 26 Sep 2013 02:07:59 -0700 (PDT)
In-Reply-To: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
Date: Thu, 26 Sep 2013 11:07:59 +0200
Message-ID: <CAH-PCH6HL79tsD4pEO9xGNn4Y7jzAE2pjqSFq7poVk=6iJ71bQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b5daca0daf8c304e745b412
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: tyra3l@gmail.com (Ferenc Kovacs)

--047d7b5daca0daf8c304e745b412
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 24, 2013 at 4:29 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> There isn't any good counter measure session hijack.
> However, we can regenerate session ID if IP address has changed.
> Hijacked users might notice that they have been logged out if session
> ID is regenerated by attackers. Therefore, users have slight chance
> to notice that they were under attack. It's not greatly effective, but
> better than nothing.
>
> Although this can be implemented in user script, it would be better if
> session module supports this behavior. Better security by default
> is good thing. It requires INI, since some apps may assume session
> ID would not change.
> (I do not encourage to use session ID for CSRF protection, but
> there are such implementations, for example.)
>
> A concern is that there are growing number of browsers share
> state. I do not research these browsers behavior yet. I suppose
> session cookie (expire=3D0) would not be shared.
>
> Anyone has any comments on this?
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

1, as you said this regeneration is not feasible for everyone:
in some setups the client remote address not available to php, or through
another environment variable, in other cases the client uses some kind of
proxy or tunnel (tor comes to mind) which causes the source ip to change
between requests, and there are also some ISPs who are doing stuff like
agressive NATing or giving out public IPs through DHCP but with really
short lease times, so the clients are changing IPs frequently.
2, this can be implemented in userland, either in the application
bootstrap, or writing a custom session handler(
http://php.net/manual/en/class.sessionhandler.php).
3, it seems that there is an agreement that introducing language level INI
switches are a bad thing. if we add this, frameworks/apps/etc. which don't
want this feature (because they don't need it, or they have a better
implementation already) would be in a bad spot, because they would either
write some code to detect and circumwent this, or they would have to
educate their users to disable this feature in their installation, which
can be a hard thing to do, as many sites are running on shared hosts, where
doing configuration changes are hard even more when you are requesting to
disable a "security feature".

so to summarize: personally I'm not convinced that this would be useful for
most of the php users, as client IPs changing to frequently to be not
cumbersome for the users to lose their sessions, but this could definitely
break some sites on the internet (php installations behind proxies/load
balancers not passing the original client in in REMOTE_ADDR), and this
would also require countermeasures from the framework/apps/etc. which makes
me vote a -1 on this proposed feature.

maybe this could be shipped as a non-default SessionHandler implementation,
and reuse the current session handler infrastructure and config ini.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--047d7b5daca0daf8c304e745b412--