Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69419 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97268 invoked from network); 30 Sep 2013 07:51:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Sep 2013 07:51:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.41 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.128.41 mail-qe0-f41.google.com Received: from [209.85.128.41] ([209.85.128.41:65534] helo=mail-qe0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 45/A2-09820-88D29425 for ; Mon, 30 Sep 2013 03:51:36 -0400 Received: by mail-qe0-f41.google.com with SMTP id 1so3585530qee.28 for ; Mon, 30 Sep 2013 00:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fNch0+7ztkgnCTlvmNogAb4Joixzb7AG5Ieu1w309jQ=; b=NUerCUMbpFn1a7p0/xzYmYsimKXwgGdWWiDdHoMip1Stwr6H40w7BdgZKwTU6A7/xU N7WBwwePbP9TrjwdQCM898vEiW853lurMdM3HQB3uRtiEc0gUE1Ik9bk5OUejC7L2Z4T RiIIFBfixHI+oRnZWlQ61LeUN3ZGFHYbpshJ2lmLA6YCfysTtQHe8bUpd8yZpOj15BqW rxZN8Uy3vSnarE2htBNhFk1ZG2nz5zt5qHIKRAxWhMzyCeX2/9kt0Ej51MEgVvsNBVTK 7PfcSZinrLd8kVgIRbERdkSvZpLD3Ig6Rore0Q9Sj0AUg8B5ziWfg/VLEEm9Y9TbkQoC rCQg== MIME-Version: 1.0 X-Received: by 10.49.127.179 with SMTP id nh19mr26280422qeb.1.1380527493933; Mon, 30 Sep 2013 00:51:33 -0700 (PDT) Received: by 10.49.61.227 with HTTP; Mon, 30 Sep 2013 00:51:33 -0700 (PDT) In-Reply-To: References: Date: Mon, 30 Sep 2013 15:51:33 +0800 Message-ID: To: Yasuo Ohgaki Cc: Leigh , PHP Internals Content-Type: multipart/alternative; boundary=047d7b62249ae0f1fb04e7951a01 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: tjerk.meesters@gmail.com (Tjerk Meesters) --047d7b62249ae0f1fb04e7951a01 Content-Type: text/plain; charset=ISO-8859-1 On Sat, Sep 28, 2013 at 6:47 AM, Yasuo Ohgaki wrote: > Hi Leigh, > > On Fri, Sep 27, 2013 at 7:12 PM, Leigh wrote: > >> So on a successful session hijack (correct SID, new IP) the attacker >> gets a new SID and keeps the valid session while the legitimate user >> gets kicked out. >> >> Not seeing how that improves things at all. >> > > There are 2 improvements > > 1. Generally speaking, more frequent session ID regeneration is more > security. > This could make it more difficult for an attacker to take advantage, but then I would like to see other changes as well, for instance: a) Enable session.use_strict_mode by default. b) Enable session.use_only_cookies by default c) Enable session.cookie_httponly by default. d) Use a stronger session.hash_function with more session.hash_bits_per_character by default. e) Enable session.cookie_secure on secure connections (I know this is not going to be fool proof). There are probably more settings we could change to more security aware values. > 2. Detection/indication of attacks is good for security. > This is an interesting aspect; when an old session identifier is presented, from the end-user's perspective, either: a) They get redirected to the site's login page; the user gets redirected to the login page and unless they suspect their session was compromised (if that's indeed what happened), they will sign in again (the browser may have remembered the credentials, so it's a single click operation and they're back), or b) If the system uses a (naive) "remember me" feature, a new session gets created automatically and they don't notice a thing. From the server-side's perspective, the cookie value could simply not be found, assuming that the regeneration also deletes the previous session data; there's no discernible difference between an old session and a compromised session afaict. This would be a different story if the session engine would keep track of past values as well. Btw, what I'm also missing from this proposal is the ability to hash against other factors, i.e. user agent. ISP's may use a transparent HTTP(s) proxy, most companies use an NAT, so being able to detect user agent changes may improve detection further. The bottom line is: if the system can make it easier to detect intrusion, it should be in the system and it should be easy :) > > Showing active sessions and possible intrusion/source of intrusion is > applications > task, but session ID regeneration upon IP change is easy and simple task > for > session module. Why not have it as optional feature? > > It would be better than nothing if end user has chance to know the attack. > IMHO. > > Many systems have notification mail when password or important information > have changed. Damage has already done if it is an attack, but user could > know > there were attack. Session ID regeneration is the same kind of counter > measure. > > If app supports number of active sessions, user could verify if they are > under > session hijack attack or not. It's up to app, though. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > -- -- Tjerk --047d7b62249ae0f1fb04e7951a01--