Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69390
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46093 invoked from network); 27 Sep 2013 10:54:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Sep 2013 10:54:36 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.180 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 74.125.82.180 mail-we0-f180.google.com  
Received: from [74.125.82.180] ([74.125.82.180:53745] helo=mail-we0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F5/C0-42235-AE365425 for <internals@lists.php.net>; Fri, 27 Sep 2013 06:54:35 -0400
Received: by mail-we0-f180.google.com with SMTP id u57so2441988wes.39
        for <internals@lists.php.net>; Fri, 27 Sep 2013 03:54:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=U/0fN7Hx6GxySvQgsEn1q+fQ8SSKOigjAqqh9ggIhTM=;
        b=TV1Yub5jjWyd5wttNflIdfyz30Hl5xzljcK34150eaC81nRn7MiWXI5OnO7J9hfwTX
         mj+6Yvdg93yOPJvjSRpV8JZPQcLBiplwM9s3932FqdBORXshuoTeMTkejlkr2wfW1aEd
         EoqV+m3jYWuzl2+aILWd7DSH7knB8BH89AK6SSKXDfN117H2vHnSAOeZk+RAMO9XFRgm
         pXnptpLsyD/k/WmWG6Ezd1GDGdAXebs8pCTmXTQUgDnvo5gd3pgFGa9VyiTTfMrwJkRb
         dV8pEsZELUCI2d66w6iZEILViW+1ob5/QqfbuFTO13mkLAC4rx35tJZaIgX5kp+0gyUh
         fFeg==
MIME-Version: 1.0
X-Received: by 10.194.5.35 with SMTP id p3mr1021290wjp.47.1380279271758; Fri,
 27 Sep 2013 03:54:31 -0700 (PDT)
Received: by 10.216.184.3 with HTTP; Fri, 27 Sep 2013 03:54:31 -0700 (PDT)
In-Reply-To: <CAEU6NAeernLq5AbhxYm8w8vJfJR4r6yAhcHeSJCfqYK4KOAcZQ@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
	<CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
	<CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com>
	<CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
	<CAPwsocGh-e1xAmvxgBF6St++9TBdW6uzRy8Xu4Jhb4p-N4vFvQ@mail.gmail.com>
	<CAEU6NAeernLq5AbhxYm8w8vJfJR4r6yAhcHeSJCfqYK4KOAcZQ@mail.gmail.com>
Date: Fri, 27 Sep 2013 11:54:31 +0100
Message-ID: <CAPwsocG231ZToDF=gnzs4TJVtuYt9+RejRqXbBuZZ+Zn3bYriA@mail.gmail.com>
To: Peter Lind <peter.e.lind@gmail.com>
Cc: Tjerk Meesters <tjerk.meesters@gmail.com>, PHP Internals <internals@lists.php.net>, 
	Yasuo Ohgaki <yohgaki@ohgaki.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: leight@gmail.com (Leigh)

On 27 September 2013 11:39, Peter Lind <peter.e.lind@gmail.com> wrote:
> On 27 September 2013 12:12, Leigh <leight@gmail.com> wrote:
>>
>> So on a successful session hijack (correct SID, new IP) the attacker
>> gets a new SID and keeps the valid session while the legitimate user
>> gets kicked out.
>>
>> Not seeing how that improves things at all.
>
> In your scenario, user gets booted and thus knows somethings wrong. Much
> better than the attacker hijacking the session without the user knowing
> anything at all.
>
> Regards
> Peter

And what is done to invalidate the session now gained by the attacker?
Since this is a proposal to handle such things internally.

Do you really think random user X will think something is wrong beyond
the site they were using just kicking them out for no reason? So now
what do they do now? Log in again? The attacker still has the
previously valid session, so nothing is gained.

This is exactly why this kind of logic belongs as user code. We're
starting to define rules for a system that should be agnostic to how
it is being used.