Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71294 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96542 invoked from network); 20 Jan 2014 04:46:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jan 2014 04:46:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com Received: from [209.85.217.178] ([209.85.217.178:39844] helo=mail-lb0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 64/91-21343-D2AACD25 for ; Sun, 19 Jan 2014 23:46:38 -0500 Received: by mail-lb0-f178.google.com with SMTP id u14so4580259lbd.9 for ; Sun, 19 Jan 2014 20:46:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=vaUCjtat6wLn8K7Mc2yNWA7OL2Rg54OU3lpEFYlIwmc=; b=KamSpuWo7Td2EGkBejQElv1lO3aofRZIIQ9enHVXLNZCrv0CJmMEdlahGgr6+UzIbF E570+b1d+37STc2Hsf82NNavqqT5ZvRnale1j+3doCqHJ9kNwVrShXVfLMWyvaQcfTzG 4myy5/gLloT97Xo1dDIF4m/HxWQqi9r1nSc9GxB2MZcz1uHyNx/tptQN4OrSfJBgxUef IKc4jvn1yRehh0KlTyxLe0BSc6/1qAI5G16tJTj8lSY/TxoxnpmCcJPniZo/6df25veb JKGWGiz+76+ajz6fHYNMUFhEgJRrH2ytsjTTib2p5zzzxhYRDiscCsVVLv84aAC3Tr3A BXjA== X-Received: by 10.112.150.100 with SMTP id uh4mr9976423lbb.3.1390193194872; Sun, 19 Jan 2014 20:46:34 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.6.68 with HTTP; Sun, 19 Jan 2014 20:45:54 -0800 (PST) In-Reply-To: References: <52DC905F.2080705@sugarcrm.com> Date: Mon, 20 Jan 2014 13:45:54 +0900 X-Google-Sender-Auth: r8NBrHycj9Q-II9_6itJlHSegbs Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b33da5c8cb3eb04f05f930c Subject: Re: [PHP-DEV] [VOTE] Introduce session.lock, session.lazy_write and session.lazy_destory From: yohgaki@ohgaki.net (Yasuo Ohgaki) --047d7b33da5c8cb3eb04f05f930c Content-Type: text/plain; charset=UTF-8 Hi all, On Mon, Jan 20, 2014 at 1:27 PM, Yasuo Ohgaki wrote: > With AJAX or browser supports concurrent access to server, > concurrent access to server is possible. > > When session ID is regenerated, it is possible that some connections > access to > server with old session ID. i.e. Race condition. > > When this happened, old session that may be known to attacker may be > reinitialized or new unneeded session ID is created when > use_strict_mode=On. > > Allowing access to old session data for a while prevents these cases that > initialize > unneeded session. > > RFC proposes deletion flag in $_SESSION. It's a little dirty, > but it's faster and simpler. It would be acceptable because the session is > deleted one. > Additional comment for this. session_destroy()/session_gc() deletes session data immediately. session.lazy_destroy is applicable only when session_regenerate_id() is called. The name (session.lazy_destroy) might be better to be changed or it might be better apply for session_destroy() since there would be similar race condition like session_regenerate_id(). Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --047d7b33da5c8cb3eb04f05f930c--