Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72585
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 95162 invoked from network); 14 Feb 2014 09:39:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Feb 2014 09:39:19 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.181 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.181 mail-lb0-f181.google.com  
Received: from [209.85.217.181] ([209.85.217.181:46977] helo=mail-lb0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/02-12906-644EDF25 for <internals@lists.php.net>; Fri, 14 Feb 2014 04:39:18 -0500
Received: by mail-lb0-f181.google.com with SMTP id z11so8230836lbi.12
        for <internals@lists.php.net>; Fri, 14 Feb 2014 01:39:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=/BnfnmjgswqNi92cnmWcYWGbpYzWgo5m7fSPZL0hTyg=;
        b=ThLnUTmL0RAKTtHc8tme8DuzavbAWk7K2buwD2Mv5sJ1Cl1qDqKzcLUUeA0E2dOK0T
         Fy1s+DdO7s4LZEN6miMxGDj9jCzSWPSVDPiOPuJX71OW0Mns5poKDFgWHt31y+qGKBMK
         +Fg6NM2cGbDkAUN2iGxBuSMtW92PxAWkFd7D+Jr+9M+hPA39Y3lqSuD03huKVaHleBuy
         LMSIXKsHRHhzDCEczRWuEcNtgbMkTLwm3n5+s08Kf4r22I9O/Hxiw3VZ1mNw7X4S+Jpj
         uqe6RyaprMuETUXbIRbgYq6zJiQ2PiW+gizH7lViJKy9bDgPP+F5UMsuBJRz3oRQLJ5Z
         lajA==
X-Received: by 10.112.160.161 with SMTP id xl1mr473795lbb.71.1392370755226;
 Fri, 14 Feb 2014 01:39:15 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Fri, 14 Feb 2014 01:38:35 -0800 (PST)
In-Reply-To: <52FDD23F.9010808@sugarcrm.com>
References: <CAGa2bXYXuQ6hhbzTMne7SgErFfKfJ01w5RquAgA4GBAAzN7hAA@mail.gmail.com>
 <CAGa2bXauh+PoSNvFf38eqQkvQ6y_9cgga2DENmV35a9Ncs2Dtw@mail.gmail.com> <52FDD23F.9010808@sugarcrm.com>
Date: Fri, 14 Feb 2014 18:38:35 +0900
X-Google-Sender-Auth: fp8pacoMxiz7Yaud9nCmqdbWGqw
Message-ID: <CAGa2bXb4T47_T3N4J0b5+Pp+kwqJO64mO3AuRm7bqT4S75dTaA@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3352842d17104f25a9467
Subject: Re: [VOTE] RFC: Introduce session_start() options - read_only,
 unsafe_lock, lazy_write and lazy_destroy
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3352842d17104f25a9467
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Fri, Feb 14, 2014 at 5:22 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > When browser accesses to the personal page, application checks
> > authentication status and returns HTML page for it if user's session is
> > authenticated. Browser tries to load images which require authenticated
> > session. If session_regenerate_id() is called (timeout, etc) while
> > loading images, what happens? If old session data is deleted, other
> > images cannot be loaded because requests are done by old session ID.
> > This scenario valid since current browser uses multiple connections to
> > load resources of a web page.
>
> If anything was called that makes old session invalid, any further
> access to this session should result in failure. How the app does it,
> does not matter really. Doing otherwise would be a huge security problem
> - you removed the session, but you still can access it. Timing does not
> matter - milliseconds of unauthorized access may be enough to compromise
> an account. So I don't see any use in "delete, but only with delay"
> option - if the data still valid, no reason to delete, if not valid -
> should be deleted immediately.


Ideally, it is better to be deleted immediately.
Due to the limitation of web technology, it is not possible without
unwanted behaviors.

 - Limitation: It is impossible to force browsers access resources one by
one.
 - Unwanted behaviors: Some accesses may be denied, image/iframe/js
content/etc not accessible by vanished session.

As I explained, current work round for the limitation (keep "must be
deleted" session) allows access to attackers indefinite period of time. It
will be reduced from indefinite to seconds with this RFC.

When ideal solution cannot be chosen, we should choose better.
Allow attackers seconds or indefinite attack time?
Users may set as short as 1 second with this RFC.

Implementation/setting of delayed deletion is debatable, but choice is
obvious to me...

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3352842d17104f25a9467--