Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69387 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40430 invoked from network); 27 Sep 2013 10:19:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2013 10:19:16 -0000 Authentication-Results: pb1.pair.com header.from=andreas@heigl.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=andreas@heigl.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain heigl.org from 176.9.19.43 cause and error) X-PHP-List-Original-Sender: andreas@heigl.org X-Host-Fingerprint: 176.9.19.43 stegro-cos-pro-100.unaxus.net Received: from [176.9.19.43] ([176.9.19.43:59346] helo=stegro-cos-pro-100.unaxus.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F7/68-28456-1AB55425 for ; Fri, 27 Sep 2013 06:19:14 -0400 Received: from [212.185.30.151] (port=61210 helo=wdv-hg-0-C-07-z9288-Heigl-Andreas.local) by stegro-cos-pro-100.unaxus.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from ) id 1VPV8f-003yXQ-28; Fri, 27 Sep 2013 12:19:09 +0200 Message-ID: <52455B9D.90603@heigl.org> Date: Fri, 27 Sep 2013 12:19:09 +0200 MIME-Version: 1.0 To: Leigh CC: Tjerk Meesters , PHP Internals , Yasuo Ohgaki References: In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070308060106040207080205" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - stegro-cos-pro-100.unaxus.net X-AntiAbuse: Original Domain - lists.php.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - heigl.org X-Get-Message-Sender-Via: stegro-cos-pro-100.unaxus.net: authenticated_id: a.heigl+heigl.org/only user confirmed/virtual account not confirmed Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: andreas@heigl.org (Andreas Heigl) --------------ms070308060106040207080205 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 27.09.13 12:12, schrieb Leigh: > On 26 September 2013 11:32, Tjerk Meesters w= rote: >> >> On Thu, Sep 26, 2013 at 6:19 PM, Leigh wrote: >>> >>> There's several scenarios where a users IP changes and you don't want= to >>> drop their session. (That doesn't mean it should simply have an optio= n to >>> disable it either) >> >> >> Let's be clear here: this won't happen (in most cases), because the cl= ient >> will simply get a new cookie and the session will keep working; it's l= ike >> what you would implement if your user level goes from anonymous to log= ged in >> and vice versa. >=20 > Right, so maybe I misunderstood the intent of this. >=20 > I was reading it as: valid SID on new IP =3D drop session, which to me > seems like the more "secure" approach. >=20 > What you're saying is is when a valid SID is supplied on a new IP, you > regenerate the SID and the session continues to be valid on the new > IP? >=20 > So on a successful session hijack (correct SID, new IP) the attacker > gets a new SID and keeps the valid session while the legitimate user > gets kicked out. >=20 > Not seeing how that improves things at all. So what about an ISP that changes the IP-Adress of it's clients every half hour? Suddenly the IP for a valid SID has changed and the legitimate user gets kicked out. Every half hour. No Attacker needed. Does that improve things? Regards Andreas --=20 ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andreas@heigl.org N 50=B022'59.5" E 08=B023'58"= | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+ --------------ms070308060106040207080205 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Kryptografische Unterschrift MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFrDCC BagwggOQoAMCAQICAwwmgTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMjA4 MjIwNDM0NDVaFw0xNDA4MjIwNDM0NDVaMFwxFjAUBgNVBAMTDUFuZHJlYXMgSGVpZ2wxIDAe BgkqhkiG9w0BCQEWEWEuaGVpZ2xAaGVpZ2wub3JnMSAwHgYJKoZIhvcNAQkBFhFhbmRyZWFz QGhlaWdsLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfpctxYUsO8BeCW VSKQEBTZG/rebtko/5lT/YdNYNbQEnaa4rsYPdwZnFsoqiw7qXo9KqqYupQnwbpv/zmI9CY0 vnP4sb/7C3+nfVI4wBZzlQDsIkBD2mK9QJxX5i3QvOjFY7kwTasRn+KgHa1cyKWQksxTh/kD 2bdhlVIqPfFszusilARmIrROtngxyFPA8x0DAEsHEKgDO1yDhiPiop34hAt9/Qt2Fzne1z1v 5dPtjNYtjmtAocT6EqogB29h+qopBkUcEFem1JdRcF5grlrhRPR+mcw/u2iqv/2YuUr4W8M1 5XBKjkj9puKp16TWUfT/HBjL2KbyThJG0tMCnuECAwEAAaOCAVQwggFQMAwGA1UdEwEB/wQC MAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJF RSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMG CWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNh Y2VydC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9r ZS5jcmwwLwYDVR0RBCgwJoERYS5oZWlnbEBoZWlnbC5vcmeBEWFuZHJlYXNAaGVpZ2wub3Jn MA0GCSqGSIb3DQEBBQUAA4ICAQCP0cqIgFPOZV0jHbaxA29mlebJO1VDIgC8lulY6vmVSvEq 8su70Gh+urVAimaQ4dHPhLM6XwaCSi97/vsaPyJbwEYxbyFyBbqkl8RjcEumISw3FQew0hEh pVcvKvj9MRIJV/vpqkE8vrGlODtdL8NXNc/W552DOh+ivU3OwuKZwJycgrTgvZBXYjNYz5yF me6VZTM74bpstMhrHEUF75/PMWToy0dQ8vSGn1qiolvsd9zfwxLdZQL69RvNEj7EWU+1hxim N1OIM0HpJLHubeys1Hq8uMNPTjoFwr6Mw83jktJnys9dJwWyfv0gIs6n+sGta28F5OKwNWqH Pq7VYxu9IsLYzn9y/kGrMdlkGbT4moJAZNQhwF3RgAK5tc219johcKDor7idQadpUUfJfkNC +c2RZwozkD+NA0W/MoCRLNZF4s5P2BA6MBe+GcZZchF+L+/5JzZD9GIKW810/AEpQHg2ZTpV +UM70mSLandSx9VWCrLB98Q7e+Kh3jcwSPDcfiGgh8A8Dewavfdk/dATt4fuNGPD+HdNzQ7j JYWQdGTNVz5NVkGB5UMUik60aYEO6kxqDm/M8pAZNf/V5597HGlpAi/b43tKAamTNB7vUTSv 17Q0DT/CvGj0vErd7uyudgunhFIm0m0bn/HUn7mTQP+KwnAjaHwfCpOioh3eGTGCA6EwggOd AgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0 Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMJoEwCQYFKw4DAhoFAKCCAfUwGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwOTI3MTAxOTA5WjAjBgkqhkiG9w0B CQQxFgQULldBQ/gp6D/7vBaw23jC75otBcYwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQME ASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMMJoEwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3Qg Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBT aWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMM JoEwDQYJKoZIhvcNAQEBBQAEggEAWAE6cqNf90PK0sy7nRml+qAjRCGzd6m7NvkOuqM9feEm lfXpCbg+rJlwHGMYxnIPFeKergV9hOaElehjiE9IKFE9GVzV7Bup3Nk0GYatKQvMcw5VtSnT KKyRblNIS0IL6RcuzLhvz1VkZin/hoOEqBFha0G/Rap9FpPpbdW2WQoasOkxwQ4J4skkVJ5H 6e3gFlHh0eO6woM+qBZGeBMsb5CDqLG4SBfNDsgQn1r4eTCUPnEp3tTWppr6SOAgbfpwcRPs /rNc3a0rToWnVSW7qXz82m4tIibuB1gdxNXnjLTV3z/gZV2pQBaSq/fJxKdlKfF1/kwbsSQ6 9T+bPDtXngAAAAAAAA== --------------ms070308060106040207080205--