Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69359
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67194 invoked from network); 26 Sep 2013 22:38:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2013 22:38:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com  
Received: from [209.85.215.43] ([209.85.215.43:63435] helo=mail-la0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/A5-37010-767B4425 for <internals@lists.php.net>; Thu, 26 Sep 2013 18:38:31 -0400
Received: by mail-la0-f43.google.com with SMTP id ep20so1554117lab.30
        for <internals@lists.php.net>; Thu, 26 Sep 2013 15:38:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=4+UFyez2vKpxbgH8LzG+qA0hrpMORfUq8gL+IGjSlYk=;
        b=EC46HPQy30izAysGdW2X2gGSYfzaJSwP3pujk4ZJyoj7HlIHog1WpxN5s2FZayhBaW
         AV0C1kDhPrYyqkUlTgZ0q3CGunoV474KY/2EcjINOaB7zTN2CNnLKvnhpl6sN0ZHsBdU
         zZpb7fk4cRx9KGxJR0ngulDqq3aUFiSXYQWSPFmbRgH5yJoqWGzemi8R560tZdklkbce
         MpmKQ6tu17KjG6NRQ/h7BhOWNBrz+MJSYt9rTDjHiy6a1Ert0comjUWMwPWJEe8TBIwX
         0GSJj2rD79tFGLowToNHlnQ6/vUjeYD9+GAJxe1qFCunLYyZ/yW5GqEu4VkwjJt9R4W2
         Hnzg==
X-Received: by 10.112.190.1 with SMTP id gm1mr5705181lbc.30.1380235107697;
 Thu, 26 Sep 2013 15:38:27 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Thu, 26 Sep 2013 15:37:47 -0700 (PDT)
In-Reply-To: <CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
 <CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
 <CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com> <CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
Date: Fri, 27 Sep 2013 07:37:47 +0900
X-Google-Sender-Auth: p1teAd5Sc8hk_yBeuSaHRhZgnJE
Message-ID: <CAGa2bXaULOU5C+yDOys9Vkm1ygOzYb--EVTU4qZ27Zwdm+omXA@mail.gmail.com>
To: Tjerk Meesters <tjerk.meesters@gmail.com>
Cc: Leigh <leight@gmail.com>, Laruence <laruence@php.net>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3836c4d08d804e7510790
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3836c4d08d804e7510790
Content-Type: text/plain; charset=UTF-8

Hi Tjerk,

On Thu, Sep 26, 2013 at 7:32 PM, Tjerk Meesters <tjerk.meesters@gmail.com>wrote:

>
>> Many people still have dynamic IP addresses for their home connections,
>> but
>> the group who would suffer the most would be mobile users. It's pretty
>> frustrating to use most sites with a phone as it is, without being kicked
>> off every time you switch between grps or hsdpa or whatever.
>>
>
> Aha! I'm glad that you brought up mobile devices, because for those it's
> more likely that in certain cases the updated cookie is not received while
> the server believes that it was; scenario: "I stepped into an elevator and
> was disconnected when I got out.". This makes it an unattractive option to
> have enabled by default.
>

When IP packets are lost, clients may not receive new session ID.
This may occur when packets are lost while server is trying to set
new session ID cookie. Unless users have really bad connections,
this happens unlikely.

Users who are concerned for this situation should disable it. Users
who are concerned security should accept this case.

The motivation of the feature is to encourage secure session
management to users, not to cover all situations perfectly. Changing
session ID on events is best practice of security. Failures in rare cases
would not make it bad practice.

This feature cannot be enabled by default, since HTTP header that
indicates client IP may vary.

Anyway, how many of us follows session ID management security best
practice?

 - login
 - logout
 - re-authentication (e.g. Require password to change sensitive info)
 - timeout (Long living session ID should be renewed)
 - IP change (This could be hijacked session)
 - else?

Regenerating session ID at login is mandatory, so I suppose
everyone do. (If not, you must.) Generally speaking, if session
ID changes more frequently, hijack attack become more difficult.

Even if session ID is the center of the web security, it is fragile.
Therefore, it should be as secure as possible whenever it can. IMHO.

Regards,

P.S. As I wrote previous mail, I'll start from documentation.
Even if I made patch, it would be an optional feature anyway.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3836c4d08d804e7510790--