Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69392 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49443 invoked from network); 27 Sep 2013 11:05:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2013 11:05:07 -0000 Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.54 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.128.54 mail-qe0-f54.google.com Received: from [209.85.128.54] ([209.85.128.54:59843] helo=mail-qe0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/81-42235-54665425 for ; Fri, 27 Sep 2013 07:05:06 -0400 Received: by mail-qe0-f54.google.com with SMTP id cy11so1708964qeb.13 for ; Fri, 27 Sep 2013 04:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OP5rhdcoxNNcNwBX60Xeekg/ytCkZ/ecFxj5BCTNsJ4=; b=sZwgUnr68hlToKw4hEGxsvKjMGqsL7sV8nAsQIWFclgC68S0dbhxqiiQnOPB1N5L4Q CSD9VSuHP8bZ87ooOOcw4U1RxcRpdpRPmD+CygoFmaSfXBUuzGuavjQBI+s9syc7a+Ws q8eoTu5EVeT6rD0lbRJjEaJ8rLqSviNpWkp5wzZhqnYrd4I1h0Y8Sm2X+LX1qdhvkXft b/1jkJbjtPM3jsYUBL87UE2WSryrHfbb/lrDzCpYVl2x6yBK67DCI8a8JpcGLHZKc8Rq 4aJjlohLJVXE337i6Yzd/1Aejo55bOj5IkBS81rEE4STu4l7JCUEAQQ0LjIeQXRRK+Ls CmFg== MIME-Version: 1.0 X-Received: by 10.49.1.42 with SMTP id 10mr7930942qej.58.1380279836044; Fri, 27 Sep 2013 04:03:56 -0700 (PDT) Received: by 10.49.61.227 with HTTP; Fri, 27 Sep 2013 04:03:55 -0700 (PDT) In-Reply-To: References: Date: Fri, 27 Sep 2013 19:03:55 +0800 Message-ID: To: Leigh Cc: Peter Lind , PHP Internals , Yasuo Ohgaki Content-Type: multipart/alternative; boundary=047d7b677e5851744b04e75b7144 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: tjerk.meesters@gmail.com (Tjerk Meesters) --047d7b677e5851744b04e75b7144 Content-Type: text/plain; charset=ISO-8859-1 Hi, On Fri, Sep 27, 2013 at 6:54 PM, Leigh wrote: > On 27 September 2013 11:39, Peter Lind wrote: > > On 27 September 2013 12:12, Leigh wrote: > >> > >> So on a successful session hijack (correct SID, new IP) the attacker > >> gets a new SID and keeps the valid session while the legitimate user > >> gets kicked out. > >> > >> Not seeing how that improves things at all. > > > > In your scenario, user gets booted and thus knows somethings wrong. Much > > better than the attacker hijacking the session without the user knowing > > anything at all. > > > > Regards > > Peter > > And what is done to invalidate the session now gained by the attacker? > Since this is a proposal to handle such things internally. > Do you really think random user X will think something is wrong beyond > the site they were using just kicking them out for no reason? So now > what do they do now? Log in again? The attacker still has the > previously valid session, so nothing is gained. > Yes, much more is required to actually provide tangible benefits in terms of security. The site would have to keep track of the last five invalidated session identifiers and if any of those is presented, it would delete all sessions for that user. The core can practically only do a fraction of that for you, so I would agree that on the whole, this patch would not lead to a secure-by-default sessions implementation. > This is exactly why this kind of logic belongs as user code. We're > starting to define rules for a system that should be agnostic to how > it is being used. > -- -- Tjerk --047d7b677e5851744b04e75b7144--