Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69401
Return-Path: <dor.tchizik@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10569 invoked from network); 28 Sep 2013 09:27:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Sep 2013 09:27:44 -0000
Authentication-Results: pb1.pair.com header.from=dor.tchizik@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=dor.tchizik@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.179 as permitted sender)
X-PHP-List-Original-Sender: dor.tchizik@gmail.com
X-Host-Fingerprint: 209.85.214.179 mail-ob0-f179.google.com  
Received: from [209.85.214.179] ([209.85.214.179:61289] helo=mail-ob0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1E/E1-27958-E01A6425 for <internals@lists.php.net>; Sat, 28 Sep 2013 05:27:42 -0400
Received: by mail-ob0-f179.google.com with SMTP id wn1so3911728obc.38
        for <internals@lists.php.net>; Sat, 28 Sep 2013 02:27:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=g9Qse5NGwlGF2WUleeWfwVDT8mUjA1uWNvrncXWYGYk=;
        b=XriGNdMKbTKGq+cIa36fdWVkygwWyk7vOqfUgRjw0o5va8Tv4V75K5qZJVu9khV6rJ
         7oLJQaxKqQfXxAITmT+RL3zt4yqZuPiN43OlxTqTQqZzCbwNMcGpiJcPqUrAPT7u+IrS
         +lix7sHQuEplnbZM3clOjbx6HZnZh3ktuWSR4CRU+6uGduahHOPONXwTzk9i4tQ6sX1V
         +I8wwIuT5MRucWH03Ay308q3tSUdOXeTaZTgJPC3st4hQ4FD95KZl132eTvqAQpeN1SK
         a5MQ0u9B5JJ/y8Te9qQBnc+1p+UVN2jYCEIcZV/puZhMxvdGB0QL4g9G63uSXIZLIpx0
         ucEg==
MIME-Version: 1.0
X-Received: by 10.182.22.226 with SMTP id h2mr9933108obf.8.1380360459453; Sat,
 28 Sep 2013 02:27:39 -0700 (PDT)
Sender: dor.tchizik@gmail.com
Received: by 10.182.39.137 with HTTP; Sat, 28 Sep 2013 02:27:39 -0700 (PDT)
In-Reply-To: <CAGa2bXaH7B3vO=4Ap2hTfwUEp4Sw-PoK-omK6r=O71OUNksDxg@mail.gmail.com>
References: <CAGa2bXbh6dOf41nZ0r-RuRtkCuuiA=r=SnxS+A1+GgqFXPGOWQ@mail.gmail.com>
	<CABBJUpdNr6McK6Q4qtztiYYG9CKZF7AeUdvo3YM+W0S87f8nDg@mail.gmail.com>
	<CAPwsocEwM_A3YraxZmJEXjBxaGgTZhfv711801bwtHLfJfNh+Q@mail.gmail.com>
	<CAHMUw2EQuT-y2Ho85QXhDdtysTWC=4FyY4nK9i-yR7qGqk6M=Q@mail.gmail.com>
	<CAPwsocGh-e1xAmvxgBF6St++9TBdW6uzRy8Xu4Jhb4p-N4vFvQ@mail.gmail.com>
	<CAGa2bXaH7B3vO=4Ap2hTfwUEp4Sw-PoK-omK6r=O71OUNksDxg@mail.gmail.com>
Date: Sat, 28 Sep 2013 11:27:39 +0200
X-Google-Sender-Auth: b-K51y0oBz_iwB8BFamiR5zJm2U
Message-ID: <CAGbiJu_S4JeeOwMRCNbCyOToT5WPvkJPGjGBg8_Wb4g7Pn2MqQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Leigh <leight@gmail.com>, Tjerk Meesters <tjerk.meesters@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address
 has changed
From: madara@tchizik.com (Madara Uchiha)

You guys are missing the point. This isn't a language level issue. I
can imagine some sort of package or a library being made, some sort of
wrapper around the current session commands, perhaps integrated into
some sort of extension.

But it is NOT a language level issue. This isn't a problem the
language needs to solve, ESPECIALLY since userland implementation is
so trivial.

The core of the problem is education, not lack of tools by the side of
the language. And that's where the focus should be. How do we do it? I
don't know. Blog posts? PHP manual? Conferences? Maybe.

But I still don't think this is a problem that language should solve.

On Sat, Sep 28, 2013 at 1:47 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi Leigh,
>
> On Fri, Sep 27, 2013 at 7:12 PM, Leigh <leight@gmail.com> wrote:
>
>> So on a successful session hijack (correct SID, new IP) the attacker
>> gets a new SID and keeps the valid session while the legitimate user
>> gets kicked out.
>>
>> Not seeing how that improves things at all.
>>
>
> There are 2 improvements
>
> 1. Generally speaking, more frequent session ID regeneration is more
> security.
> 2. Detection/indication of attacks is good for security.
>
> Showing active sessions and possible intrusion/source of intrusion is
> applications
> task, but session ID regeneration upon IP change is easy and simple task
> for
> session module. Why not have it as optional feature?
>
> It would be better than nothing if end user has chance to know the attack.
> IMHO.
>
> Many systems have notification mail when password or important information
> have changed. Damage has already done if it is an attack, but user could
> know
> there were attack. Session ID regeneration is the same kind of counter
> measure.
>
> If app supports number of active sessions, user could verify if they are
> under
> session hijack attack or not. It's up to app, though.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net