Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72654 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34836 invoked from network); 17 Feb 2014 09:41:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Feb 2014 09:41:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.44 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.44 mail-la0-f44.google.com Received: from [209.85.215.44] ([209.85.215.44:34824] helo=mail-la0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F0/2D-56374-149D1035 for ; Mon, 17 Feb 2014 04:41:22 -0500 Received: by mail-la0-f44.google.com with SMTP id hr13so11179076lab.3 for ; Mon, 17 Feb 2014 01:41:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=DaWj6KZedl23GlSSkqROHozsCW7PrN2pjkfEO7xRV8Y=; b=ADZi4ZR08PwExRGP9UVRMG1jGUPn4Ovh5P6rfKM7yF3ZUe3Blw1vzQhMDc7/6ppQOp mUYUoVtsAO0R3w419gcvcfTlv4KFbUKpe3Lrri2Cp6a39cDbZkZepE7jV55fEaRfnh2k HJ2JVuZ/+sOzdYFw46OEXQCw4albv/5DPsHq00X44b2LWyYGFAisa01B9oC1PZRKQi96 3zHqUyIr3HZVCsA9HvmtOxqM6ChoZGSCwe0/1nUvWfAzKb+90Z+f7IZ4BPVpySYNxk5S QIW5419r71oprWIs8iIS436dhLHwsRokwJPvhEoHTj75EUB3Skl0+p0UmYvSRBHcal1G pasg== X-Received: by 10.152.10.70 with SMTP id g6mr5690lab.65.1392630077536; Mon, 17 Feb 2014 01:41:17 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Mon, 17 Feb 2014 01:40:37 -0800 (PST) In-Reply-To: References: Date: Mon, 17 Feb 2014 18:40:37 +0900 X-Google-Sender-Auth: phZwHfsDfr4949OZ9LAkjOocpps Message-ID: To: Andrey Andreev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1132ee92133f3304f296f526 Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1132ee92133f3304f296f526 Content-Type: text/plain; charset=UTF-8 Hi Andrey, On Mon, Feb 17, 2014 at 5:11 PM, Andrey Andreev wrote: > I didn't want to interrupt a vote, but this 'id_length' setting was > not initially a part of the RFC and it's just now that I see it. > I noticed possible attack during timing attack discussion. Therefore, I've added this. User defined, 3rd party session or certain system's save handler could be vulnerable. Simplest one would be file system with liner directory search. It would be possible to get 1st session ID on the system with timing attack. I suppose this scenario is possible with embedded systems. If it is affected, it would be very easy to attack by timing. We cannot assure system, 3rd party or user save handler is timing safe because we cannot control implementation. Setting minimum length removes possibility of the attack. I might post mail in different thread, sorry. I don't see how it relates to timing attacks. > If it is about comparing at least N characters of the session ID > before rejecting one, then why not just compare all of them? ID length > is public information, anybody can see what it is by simply looking at > what the application gives them. > And finally, the setting name itself is misleading - it doesn't make > it clear that it's about minimum length. > I agree. Java has similar name setting with different semantics. Name could be anything. Better name would be appreciated. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1132ee92133f3304f296f526--