Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69399 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87306 invoked from network); 27 Sep 2013 22:47:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2013 22:47:47 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:51095] helo=mail-la0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 57/42-05839-21B06425 for ; Fri, 27 Sep 2013 18:47:46 -0400 Received: by mail-la0-f48.google.com with SMTP id er20so2640850lab.7 for ; Fri, 27 Sep 2013 15:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=H9d0PkYTr0Rcn1iY1IvpegFXpDnm4b7kASvzWr9J2uI=; b=c4IPp14yLGqQ+1SBU/VzTq/y2M4NdF3KQhG/S4a/K2M3KYo/TFe4inwVID5JCOLM3g yzDKXKZy0i0ORUg6pUyVpJR9VKh5lV7NbHy86usC2Qj8KACWDtub+swzNxjq8/JVhU6F UrjcxsKsMnhPWn4fv+ZNPUtelck0aVhPP191Ti39yr+PnRXK/kiMuc5lmLxE5dQpqxWa E3tkKPHAGgA2ri0neZBOhwdduFd4yLBj3WfqetHhn+8hhO/q/iuq2jbabt7Yp1scWZP1 bar8pMdSDHyf3IBT9zYJCTBuKP30zSNKjxGP5NHrye/8NAmVWPNXY63ESu2Q35WM4QXh Tl3A== X-Received: by 10.152.116.7 with SMTP id js7mr7569222lab.11.1380322062457; Fri, 27 Sep 2013 15:47:42 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.154.201 with HTTP; Fri, 27 Sep 2013 15:47:02 -0700 (PDT) In-Reply-To: References: Date: Sat, 28 Sep 2013 07:47:02 +0900 X-Google-Sender-Auth: hCxp6M9TOGhZvSl4NV7qyl4xeOU Message-ID: To: Leigh Cc: Tjerk Meesters , PHP Internals Content-Type: multipart/alternative; boundary=001a11c2672a3561ee04e76546f3 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c2672a3561ee04e76546f3 Content-Type: text/plain; charset=UTF-8 Hi Leigh, On Fri, Sep 27, 2013 at 7:12 PM, Leigh wrote: > So on a successful session hijack (correct SID, new IP) the attacker > gets a new SID and keeps the valid session while the legitimate user > gets kicked out. > > Not seeing how that improves things at all. > There are 2 improvements 1. Generally speaking, more frequent session ID regeneration is more security. 2. Detection/indication of attacks is good for security. Showing active sessions and possible intrusion/source of intrusion is applications task, but session ID regeneration upon IP change is easy and simple task for session module. Why not have it as optional feature? It would be better than nothing if end user has chance to know the attack. IMHO. Many systems have notification mail when password or important information have changed. Damage has already done if it is an attack, but user could know there were attack. Session ID regeneration is the same kind of counter measure. If app supports number of active sessions, user could verify if they are under session hijack attack or not. It's up to app, though. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c2672a3561ee04e76546f3--