Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69389 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44212 invoked from network); 27 Sep 2013 10:39:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2013 10:39:26 -0000 Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: peter.e.lind@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:34929] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 34/60-42235-C5065425 for ; Fri, 27 Sep 2013 06:39:25 -0400 Received: by mail-wi0-f170.google.com with SMTP id cb5so649326wib.3 for ; Fri, 27 Sep 2013 03:39:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Bs07HMlwIYAfYYCJF8N8BspcFlHGXz8asjiLJSN57G0=; b=x2Qt8KpAyv8xD7rnol9Qw7hHCDy75Y2YVYlxNZHHafA8K9e8B1eraw5z0a+h9+BUla cPKY1yLjlw+3XwMtR8tsW4PjH5Celv6qUaHIRlMZBb4tWeoei5aJy4e30mmmVWIlIbLd iv5kM8XE6vQ6L0JFhVmYw8InwxhdYALKWCPJ1iaJZGKZPn5x88aAdYHKJQggjCeoNezn uHBB/3WG1rhMuHl4jOeIq/T/MwZ9P0/lUsXYkAXUR8Hcy2IXE6MR6y6EcODUYQ8FoVUN /k6V6j2KCpaaNrynIS3k5UfelzH08Z4X+Vk468cJ0tZ2nbyprii6GQoLLTOGSZ76zf/V dv5A== X-Received: by 10.194.24.168 with SMTP id v8mr5238661wjf.28.1380278361055; Fri, 27 Sep 2013 03:39:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.198.134 with HTTP; Fri, 27 Sep 2013 03:39:01 -0700 (PDT) In-Reply-To: References: Date: Fri, 27 Sep 2013 12:39:01 +0200 Message-ID: To: Leigh Cc: Tjerk Meesters , PHP Internals , Yasuo Ohgaki Content-Type: multipart/alternative; boundary=047d7b86daaa66eb9704e75b19d8 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: peter.e.lind@gmail.com (Peter Lind) --047d7b86daaa66eb9704e75b19d8 Content-Type: text/plain; charset=UTF-8 On 27 September 2013 12:12, Leigh wrote: > On 26 September 2013 11:32, Tjerk Meesters > wrote: > > > > On Thu, Sep 26, 2013 at 6:19 PM, Leigh wrote: > >> > >> There's several scenarios where a users IP changes and you don't want to > >> drop their session. (That doesn't mean it should simply have an option > to > >> disable it either) > > > > > > Let's be clear here: this won't happen (in most cases), because the > client > > will simply get a new cookie and the session will keep working; it's like > > what you would implement if your user level goes from anonymous to > logged in > > and vice versa. > > Right, so maybe I misunderstood the intent of this. > > I was reading it as: valid SID on new IP = drop session, which to me > seems like the more "secure" approach. > > What you're saying is is when a valid SID is supplied on a new IP, you > regenerate the SID and the session continues to be valid on the new > IP? > > So on a successful session hijack (correct SID, new IP) the attacker > gets a new SID and keeps the valid session while the legitimate user > gets kicked out. > > Not seeing how that improves things at all. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > In your scenario, user gets booted and thus knows somethings wrong. Much better than the attacker hijacking the session without the user knowing anything at all. Regards Peter -- WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 --047d7b86daaa66eb9704e75b19d8--