Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72075 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41648 invoked from network); 3 Feb 2014 10:54:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 10:54:05 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.160.173 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com Received: from [209.85.160.173] ([209.85.160.173:51334] helo=mail-yk0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/01-35654-C457FE25 for ; Mon, 03 Feb 2014 05:54:04 -0500 Received: by mail-yk0-f173.google.com with SMTP id 20so37705513yks.4 for ; Mon, 03 Feb 2014 02:54:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=a3T2UX+OPEfCoZP1qLd6F2ygl+MSgJW/Lu6uZv0EgOY=; b=MYVrDPrFHtbx0rSUYhifpoRcu39x8C9Ej5/+V9DrT7nYhddP24UUsqJc2KPlJmWYXZ uZcf8D+eBpIgcuMqIjIL3Du4rAnMNiHdxkxC9BzNBAb5AlIKGlzToT1BlY6eenvEDzV1 MUJ9Smwr5sFwivpfm0w/G3cZcX/EeDLIbvF/A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=a3T2UX+OPEfCoZP1qLd6F2ygl+MSgJW/Lu6uZv0EgOY=; b=YxvJZtBykObusRvgCt2tX9YjtO0U0YK+Dkxw1qqSpHBqkY9XIhYNs8ORXVDcez1miB lDZRe8w7hdC8v+cQgfiORouVuvpVZw5m8WIPgz8PYLaxRKjIy9X7LchQ53CjA9SvvrLQ b0x9fdqRwgF1/NkGO7EhF+sv7ATeYXgc6veBXMFh/30v0AFjv4VgiZaGdUaCxXrN3QGw O1Rlh2Ylbe8Q+w4vV4uU8hW710anzy3X5jPg926jEAaVM/3C3Ku6E6X685S+/oHs44AP do3HSuY/2HJbNk0YjaX8PVuEgLJfNoLhOWFDtF0MnyOSgIkNPl3jjFi2yfkTVdFkJ04m 9j8Q== X-Gm-Message-State: ALoCoQmyNdEUiHPaxSdOBWamjXQ/qj2vJM859QmhVoB3ZbxpVYtoA6SESwnaLmYt0/ulyeyI+d6Q MIME-Version: 1.0 X-Received: by 10.236.112.242 with SMTP id y78mr653537yhg.94.1391424841520; Mon, 03 Feb 2014 02:54:01 -0800 (PST) Received: by 10.170.144.85 with HTTP; Mon, 3 Feb 2014 02:54:01 -0800 (PST) In-Reply-To: References: Date: Mon, 3 Feb 2014 12:54:01 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: narf@devilix.net (Andrey Andreev) Hi, On Mon, Feb 3, 2014 at 12:18 PM, Yasuo Ohgaki wrote: > Hi Andrey, > > On Mon, Feb 3, 2014 at 4:31 PM, Andrey Andreev wrote: >> >> 'use_strict_mode' is supposed to generate a new session ID when the >> application receives a session cookie with an invalid (non-existing) >> session ID. >> I don't think that it should've ever changed the behavior of >> session_id() and I'd rather consider it a bug if it doesn't allow it >> to set the new session ID. > > > I can understand your opinion. Yet, it would be better for users to have > securely prefixed session ID. IMHO. > > string session_id('PREFIX_', TRUE); > > This does not set insecure session ID, since it only adds prefix to > generated session ID. I was just pointing out that 'use_strict_mode' shouldn't change the behavior of session_id(). In other words, you don't need a "force" option, because passing a custom made ID by itself already tells it to force something. Don't know why you're talking about prefixes here ... nothing to do with security. >> 'hash_bits_per_character' has nothing to do with security and its only >> useful purpose that I could think of is maintainig BC for >> database-stored session data, where i.e. the ID used to be an md5 hash >> and and switching to sha1 would require altering the field length to >> 40. Increasing hash_bit_per_character in that case would allow a >> sha-1-sized hash to be stored in 32 characters. >> Other than that (and probably some crazy traffic volume-related >> micro-optimization), it's pretty useless. > > > Since the RFC is proposing stronger hash function as NIST suggests, > session ID needs to have longer hash bits. To reduce size of session ID, > larger hash bits is proposed. Similar reason you explained. > > Some user may have limited storage size for session ID. However, it's > not a good excuse keeping weaker setting. Users need weaker settings > should set values for their own. IMHO. I'm not sure I understand what you're saying. If it is that you want to maintain BC on the session ID length - sure, I see how that would be nice to have. Not that I have any authority around here, but I'd recommend updating the RFC to properly explain this. As it stands, it makes it almost makes it look like incrementing the 'hash_bits_per_character' value by itself increases security, and it doesn't. :) >> That "allow an underscore when hash_bits_per_character=6" is also not >> in the scope of security and the hash function itself wouldn't >> generate an underscore, so ... what has it got to do with anything? > > > If hash_bits_per_character=6, files save handler uses all chars for session > ID and users cannot have prefix delimiter char. User may use string offset, > though. That's the reason why there is '_' proposal. This is hard to follow, I really don't understand why we're talking about prefixing here at all and how does it relate to 'hash_bits_per_character' or security. Cheers, Andrey.