Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69386
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38770 invoked from network); 27 Sep 2013 10:12:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Sep 2013 10:12:31 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.171 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 74.125.82.171 mail-we0-f171.google.com  
Received: from [74.125.82.171] ([74.125.82.171:58525] helo=mail-we0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AC/08-28456-E0A55425 for <internals@lists.php.net>; Fri, 27 Sep 2013 06:12:31 -0400
Received: by mail-we0-f171.google.com with SMTP id t61so2405116wes.16
        for <internals@lists.php.net>; Fri, 27 Sep 2013 03:12:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=kp+A46yUx0E0jBVBOyhHuBZUKPertmHhiOnGCv3+uNI=;
        b=OjQYhAn7I4b5XTFx2nZKRZ1MiqZ2DgFOOQ2inBqRyOJWmvmOWZubwPwKuWRgZ2dkil
         nEwjYYSoAzh+70boJPtJX8cyNWXVOAe1XrKVZjs7stur1semv1clP/ILHfjsXkvfiSkD
         TB+0RGwJq1kuQIMWNKUKFk2jPXEsc0rxZfUWiXQZK7OqEtIl6q3D8OU2zxdA9x+QtNUV
         /Y5UsBe5mJH6OE8Vw+GeaEblKYVR/o8rDmt5AgVE/tm2wX4VMOAj5TQjge3LWlgjCqk8
         vqT0LQWONQjx/LAUSU7aLc6wOFlU2dKoKhnsMbWYpcxh7mlS2Zq+jHUpo+v0AUQy0g1k
         YOxQ==
MIME-Version: 1.0
X-Received: by 10.194.104.42 with SMTP id gb10mr5098112wjb.16.1380276747789;
 Fri, 27 Sep 2013 03:12:27 -0700 (PDT)
Received: by 10.216.184.3 with HTTP; Fri, 27 Sep 2013 03:12:27 -0700 (PDT)
In-Reply-To: <CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
	<CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
	<CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com>
	<CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
Date: Fri, 27 Sep 2013 11:12:27 +0100
Message-ID: <CAPwsocGh-e1xAmvxgBF6St++9TBdW6uzRy8Xu4Jhb4p-N4vFvQ@mail.gmail.com>
To: Tjerk Meesters <tjerk.meesters@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, Yasuo Ohgaki <yohgaki@ohgaki.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: leight@gmail.com (Leigh)

On 26 September 2013 11:32, Tjerk Meesters <tjerk.meesters@gmail.com> wrote:
>
> On Thu, Sep 26, 2013 at 6:19 PM, Leigh <leight@gmail.com> wrote:
>>
>> There's several scenarios where a users IP changes and you don't want to
>> drop their session. (That doesn't mean it should simply have an option to
>> disable it either)
>
>
> Let's be clear here: this won't happen (in most cases), because the client
> will simply get a new cookie and the session will keep working; it's like
> what you would implement if your user level goes from anonymous to logged in
> and vice versa.

Right, so maybe I misunderstood the intent of this.

I was reading it as: valid SID on new IP = drop session, which to me
seems like the more "secure" approach.

What you're saying is is when a valid SID is supplied on a new IP, you
regenerate the SID and the session continues to be valid on the new
IP?

So on a successful session hijack (correct SID, new IP) the attacker
gets a new SID and keeps the valid session while the legitimate user
gets kicked out.

Not seeing how that improves things at all.