Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72072
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36069 invoked from network); 3 Feb 2014 10:36:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 10:36:10 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.45 mail-la0-f45.google.com  
Received: from [209.85.215.45] ([209.85.215.45:63673] helo=mail-la0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/00-35654-8117FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 05:36:09 -0500
Received: by mail-la0-f45.google.com with SMTP id b8so5311638lan.32
        for <internals@lists.php.net>; Mon, 03 Feb 2014 02:36:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=ofBYmkXdi2g2PcWInXpBwQKUy/tBCmEf5id93mhY7KM=;
        b=tS/4EFLArPAHff8pYEs0WKaCaxzfQSHnntF4kZC60sb8i2MNhwI/W94clQxbQRUYkd
         RNvh8wRMwBnNzoeDqKGAeKoPbUfCUzUblBv+x10zohDcKm4x2oWBL0xaECCdsZdk5+u8
         4Hsx/St0kIr1sCcPMVA1S6bZ5nDSulTJGmsaFuUaEusjXPucDClD/scqE7WYeeir3B9v
         s+DnvZvkeh1BSHDBCsVNHtL29Ngh7aCJVX6B8XKZ8/s+hzS66ZpdP5N+If3WTD+D/MXY
         HTNYZYbGZ5mChKhQ4VFFxciGgwpsfC6P73OsZE2q1HmGpMwAr0YgN5MGud045vxR7rDS
         e7bg==
X-Received: by 10.152.116.98 with SMTP id jv2mr647044lab.48.1391423766228;
 Mon, 03 Feb 2014 02:36:06 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 02:35:26 -0800 (PST)
In-Reply-To: <52EF51FA.4000502@sugarcrm.com>
References: <CAGa2bXatpirSgsFhs1bdE72YCk3waPVsgr=M0NsRrwUZ3-5Uzg@mail.gmail.com>
 <52ED7AC8.6080703@sugarcrm.com> <CAGa2bXadBuhW73HP8y3ZDriStKQwOj8Ao+qe7BFFYOgY2C40_w@mail.gmail.com>
 <52EDF03C.5080201@sugarcrm.com> <CAGa2bXaviYguq9bAhHwAti0eOzdrUua9p_jVxZLZcLJ19CV1jQ@mail.gmail.com>
 <52EE1D2E.8060309@sugarcrm.com> <CAGa2bXaaGW5eQd_RgSQ4KQGUrkJmHHOgtwjxEYGVvps-wCYndw@mail.gmail.com>
 <52EF51FA.4000502@sugarcrm.com>
Date: Mon, 3 Feb 2014 19:35:26 +0900
X-Google-Sender-Auth: ELGCeDxX4PXkTW4J7gGuKJyITmk
Message-ID: <CAGa2bXZeC+DX7aGCZx+YerMndsx-7MxxCip6kjfg9aSNUotiyA@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c34cb05171e704f17e17b4
Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c34cb05171e704f17e17b4
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > I see some users are generating unsafe session ID. Purpose of change is
> > not to generate insecure ID when user want some prefix in session ID.
>
> What's "insecure session ID" and how it is related to the matter we are
> discussing?


If there is not a easy way to create secure session ID (Currently, we
don't),
users may generate session ID by their own which may be insecure.


>  > Yes.
> > Currently, if 'foo' is not there already, session_id('foo') does not set
> > session ID, but creates new random session ID when use_strice_mode=on.
> >
> > string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]);
> >
> > $use_prefix=TRUE will bypass use_strict_mode=on.
>
> I still don't understand what use_prefix has to do with secure session
> and why use_prefix would bypass strict mode. Something is missing here
> for me. Could you give some more detailed explanation of what you're
> trying to do here?
>

I see codes that set insecure session ID. use_strict_mode=on is supposed
to prevent it. However, there are users who want to have prefix as explained
before.

They would like to know session creation time, owner without actually
reading
session data for performance reasons.

I think this is valid use case of prefixed session ID.


> > As discussed in other thread, mcrypt_create_iv() is good one, but
> > it has some limitations. That's the reason why I think it would be
> > better to have function that generates secure random ID some how.
>
> We have two functions that generate random sequences - one in openssl
> and one in mcrypt. Why we need a third one?
>

This does not relates for this RFC anymore, since session_id(PREFIX, TRUE)
address creating secure session.


>
> > Anyway, it is time to compile openssl module by default. IMHO.
>
> Why we must control what the user compiles? The users that know what
> they're doing will compile it anyway, the users that don't will use
> distros which couldn't care less about our defaults and build all
> extensions separately anyway. I don't see which problem you're trying to
> fix here.
>

For instance, isn't it nice to have hardware AES available for
applications, is it?
Developers may assume users to load required extension, though.

 > It makes security a lot simpler/easier for both users and internal
> > developers.
>
> What exactly is hard now but becomes easier? Typing --with-openssl is
> not hard.


I see many use cases of random bytes and encryption.

For example, there is no 'standard' function generating secure random
bytes now. We could say use of uniqid() as a secure random source is
bad, but isn't it bad that we don't provide standard function for it?

Available optionally and available always is different. IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c34cb05171e704f17e17b4--