Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72583
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88195 invoked from network); 14 Feb 2014 07:48:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Feb 2014 07:48:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.171 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.171 mail-lb0-f171.google.com  
Received: from [209.85.217.171] ([209.85.217.171:40754] helo=mail-lb0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 38/F0-12906-E4ACDF25 for <internals@lists.php.net>; Fri, 14 Feb 2014 02:48:31 -0500
Received: by mail-lb0-f171.google.com with SMTP id c11so9253751lbj.30
        for <internals@lists.php.net>; Thu, 13 Feb 2014 23:48:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=vm51GpOf/8CPsacXo3Rr4/Sgss4J69JebUt/1IAx+Cs=;
        b=yQgAvw6Pv2y8o6TikGJtUp/udev3nSXzux06uA+Y90m7qMhmc4BmuivLJ6weNio+w7
         nOlV2bjMF5jLjawbzHev4CuXZea/ao8RYHZ8s6zY16q42PI329uXrKsEyMgNDyhK+9bV
         5N7OyRzl5OwYVRZAORz5k9ez8xVEkaTH9ftJtA8AkrfPfymRQhbL6TLDaW8Jg/ec9YVu
         m1g6yLzLM1Q0dUrQ1GwyNWzH6wC/woBKrTuwp2naQE1Bvk//VQwxGvVaUrhPNLMIKVzc
         MYtcvuwwtXmKgHx8pPiyBGkakY9kSc4fXw7+DomW4Om+WKMtcoi0xfO41rggfR81ag9T
         67tg==
X-Received: by 10.152.5.136 with SMTP id s8mr453155las.55.1392364106956; Thu,
 13 Feb 2014 23:48:26 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Thu, 13 Feb 2014 23:47:46 -0800 (PST)
In-Reply-To: <CAGa2bXYXuQ6hhbzTMne7SgErFfKfJ01w5RquAgA4GBAAzN7hAA@mail.gmail.com>
References: <CAGa2bXYXuQ6hhbzTMne7SgErFfKfJ01w5RquAgA4GBAAzN7hAA@mail.gmail.com>
Date: Fri, 14 Feb 2014 16:47:46 +0900
X-Google-Sender-Auth: hEX8QIF0dz6UAwi_jA4orY4V0_k
Message-ID: <CAGa2bXauh+PoSNvFf38eqQkvQ6y_9cgga2DENmV35a9Ncs2Dtw@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>, Stas Malyshev <smalyshev@sugarcrm.com>
Content-Type: multipart/alternative; boundary=047d7b8743a4fe43f404f25907d2
Subject: Re: [VOTE] RFC: Introduce session_start() options - read_only,
 unsafe_lock, lazy_write and lazy_destroy
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--047d7b8743a4fe43f404f25907d2
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Thu, Feb 13, 2014 at 12:39 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> I almost forgot to start vote for this RFC.
> This RFC is to introduce options to session_start().
> Options are read_only, lazy_write, unsafe_lock and lazy_destroy.
> lazy_destroy is bug fix in fact.
>

I think there is some misunderstanding. lazy_destroy is design bug fix
indeed. Without it, we cannot make sure that old sessions are deleted when
session_regenerate_id() is called, or unwanted race condition if it is
deleted. Leaving old session alive works, but it opens attack vector
unnecessarily.

I thought "deleted session data should be deleted" like you at first. You
can see that in this thread.

http://marc.info/?l=php-internals&m=138242492914526&w=2

However, conclusion is "Session data cannot be deleted immediately".
Accesses from a client are not serialized. Therefore, immediate session
data deletion results in unwanted behavior. Application that manages
personal photos is good example.

 - User can only display photos when he/she is logged in.
 - There are private photos in user's personal page. i.e. All photos are
protected by authenticated session.

When browser accesses to the personal page, application checks
authentication status and returns HTML page for it if user's session is
authenticated. Browser tries to load images which require authenticated
session. If session_regenerate_id() is called (timeout, etc) while loading
images, what happens? If old session data is deleted, other images cannot
be loaded because requests are done by old session ID. This scenario valid
since current browser uses multiple connections to load resources of a web
page.

Currently, session_regenerate_id() does not delete session by default. It
leaves old one. It is made not to delete old session data by default so
that it will work under such scenario.

What happens to  "should be deleted" old session data? It keeps working as
valid session until it is deleted by GC. This behavior is not acceptable.
If user's session is stolen by JavaScript injection/sniffering/etc,
attacker may abuse stolen session forever. All attacker has to do is access
web server so that GC will not delete it. session_regenerate_id() does not
help because attacker has valid authenticated session already.

The solution for this is delayed deletion when session should be deleted.
lazy_destroy (name could be changed) allows to access deleted session data
specified amount of time. No more than that. (90 sec by default).
Therefore, attackers cannot abuse stolen sessions forever and
session_regenerate_id() works as it should. i.e. Create new session and
delete old one to mitigate risk of stolen session.

By the way, session_destroy() could be made to delete session data
immediately. It is made not to delete immediately to keep consistent
destroy behavior with session_regenerate_id(). Unless user use
session_destroy() strange way, immediate deletion should not be a problem.

I hope I explained well enough to understand what is the
session_regenerate_id() bug.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--047d7b8743a4fe43f404f25907d2--