Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72299 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 85186 invoked from network); 5 Feb 2014 21:59:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2014 21:59:29 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:43111] helo=mail-la0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4B/39-38005-F34B2F25 for ; Wed, 05 Feb 2014 16:59:28 -0500 Received: by mail-la0-f48.google.com with SMTP id mc6so816727lab.21 for ; Wed, 05 Feb 2014 13:59:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Yp2ygtgv+KUPKS8Mgg2Xmtav9NbQN58Wjty/T/p0ZiE=; b=vWm6IPsHbgIAMueoUTdsqQE/2v3S0OSr+DAaOSEEZp+bY1RSuDxHkVLWgZmLzr5TMY aU4K8s22AS85p2pILxOtKuOcQsoqz7OjUYgZuD+aLUPClJaWwDqgsTqnWfACkAGFoxzS g2JbfTuKqUzzPscm9WCeJWKNjijtq39vltIu0VOc2sxMebFRvEwLJYFYCFd9OmqRf4On 4sfuh8liMYZcD4uPFJkCpm56K6VtBaSnuLiqyXoqGbGiDyN9AP89IEYQ5Ax7aEgZKNVe wRmzRPGVWjnYyXMYPmZMd+elC/GsJ4O3js1LRWq932j+IfbeM79XqpIuU8O3XAVbQJsR WiCA== X-Received: by 10.152.205.11 with SMTP id lc11mr2619832lac.29.1391637564327; Wed, 05 Feb 2014 13:59:24 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Wed, 5 Feb 2014 13:58:44 -0800 (PST) In-Reply-To: References: Date: Thu, 6 Feb 2014 06:58:44 +0900 X-Google-Sender-Auth: 79XugHnpdZoRdmPvwRMLh2IEd3o Message-ID: To: Andrey Andreev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1133a818ad8a7704f1afde4a Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1133a818ad8a7704f1afde4a Content-Type: text/plain; charset=UTF-8 Hi Andrey, On Thu, Feb 6, 2014 at 5:00 AM, Andrey Andreev wrote: > >> See my previous comment above. > >> You didn't chose a wrong name, you seem to have done a 2-in-1 RFC and > >> that's not the right approach IMO. At the very least - it's obviously > >> confusing and most of what you've said in this conversation isn't > >> described in the RFC at all. > > > > > > To me, it's the same objective that make session usage as secure as > > possible. > > I don't see reason to make 2 patches/RFC for making session module > secure. > > Perhaps, better title would be > > > > "Make session options/API as secure as possible" > > > > Regarding "_" addition to files save handler, it may not be RFC issue as > it > > does not break anything at all. Just an simple addition of safe char that > > is needed for new safe prefixed session ID with hash bits=6. It may apply > > even prefixed session. I think there are many changes like this w/o RFC. > > > > I tried to write RFC to be minimum and sufficient. I should add more > > description > > if it is not. Or add link of this thread. I think it's preferred way. > > Changing default settings in the proposed way makes ext/session > more secure by default. > > Adding a new parameter to session_id() only gives users an easier > way to do complete a task that they otherwise *could* do the wrong > way. > > The first has real, straight-forward impact on security and doesn't > change existing functionality. > The second only *might* lead to some userland code being more secure > and it is questionable if that's the proper tool for the job. I for > one would like more tools that allow me to change a session's > behavior, but a prefix is not one of them. > If you handle millions of sessions and would like to find specific active sessions with marginal overhead, prefixing is the way to go. Many users may not need it, but there are users who need. Currently, there is no easy way to get secure random bytes. Even if there is, session module is better to have it's own secure ID generator. > It's not the same thing, not even the same category. > > On the '_' character: > > Any character passed to session_id() should be allowed, depending on > hash_bits_per_character and just for the underscore doesn't sound good > to me. Since we have transid, some chars are not allow by session module /* Finally check session id for dangarous characters * Security note: session id may be embedded in HTML pages.*/ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) { Save handlers may have stricter limitations. Files is the one, since it saves data as file, only safe chars(white list) are allowed. User may set any ID via session_id(), but session module does not accept any dangerous session ID and creates new secure ID with use_strict_mode=On. Anyway, I don't mind removing things that aren't related to INI. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1133a818ad8a7704f1afde4a--