Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73141
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21317 invoked from network); 14 Mar 2014 03:10:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Mar 2014 03:10:55 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com  
Received: from [209.85.217.175] ([209.85.217.175:42378] helo=mail-lb0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 46/7D-47923-D3372235 for <internals@lists.php.net>; Thu, 13 Mar 2014 22:10:54 -0500
Received: by mail-lb0-f175.google.com with SMTP id w7so1332832lbi.34
        for <internals@lists.php.net>; Thu, 13 Mar 2014 20:10:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=yrVJEK89zFKMbfZaH3I8P/qByjKI/MToXWmg7xFwCgo=;
        b=GKn7k5Uzzwnom2f2Q/MLk58xWIIv6uWe0zXkpRrw0TyxnGRuf8cD5MVBKudEVEMy+v
         5L9fsWhmFjUIhQZQtfnx/e6v4kZbR9vCg46sprUqO5nAPV7/RfKFDbvhfwFSsr32uh0h
         +Vj3b6TYaHoN9MgwGfXjSyj+8kXeVYxn6Rn/3pZALx1Z6gfg02oiLB4GLGU9kAE5825X
         dLIKGNGN5hhK07FbLzl9Noa8B9fleS+eAWKQeilTmNUR853Vbgjp4E4LP4Y5vGuAec00
         PgeURZDMVU592k9OCoPBpvSyOE13tMwu4+vFjPGx9kq8dm3Z4q2qeqtnAAgb+UfM6l9j
         Zhrw==
X-Received: by 10.112.173.169 with SMTP id bl9mr3382555lbc.1.1394766650488;
 Thu, 13 Mar 2014 20:10:50 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Thu, 13 Mar 2014 20:10:10 -0700 (PDT)
In-Reply-To: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
References: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
Date: Fri, 14 Mar 2014 12:10:10 +0900
X-Google-Sender-Auth: pgA-E2LTFK59rF35LBI7PmOCXIQ
Message-ID: <CAGa2bXZr9SFFOxh5ju6hCkDoJaOd0GTA9sorm1bE-TKRbxdKaw@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3275cbf3b3104f4886afb
Subject: Re: Solution for session_regenerate_id() issues
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3275cbf3b3104f4886afb
Content-Type: text/plain; charset=UTF-8

Hi all,

Before I start working on revised session module improvement patch, I would
like to address session_regenerate_id() issue.

On Thu, Mar 13, 2014 at 1:03 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Current session_regenerate_id() has issues. I'll try to explain what these
> are.
>
> Issue 1: Old session data is not deleted.
>
> session_regenerate_id() does not delete old session by default. It leaves
> old session available. When attacker could steal session ID via
> XSS/sniffing/etc, attacker can use session ID as valid ID as long as
> application allows. No detection/prevention of security breach is possible
> at session module level. This behavior is unacceptable for security reason.
>
> Issue 2: Old session data cannot be deleted.
>
> session_regenerate_id(TRUE) deletes old session data immediately. It's
> good for security, but if there are multiple connections from a client to
> server (e.g. AJAX/iframe/tabs/etc),  valid connection may fail since it
> could be using old session ID. Therefore, session_regenerate_id() does not
> delete old session data. Immediate session data deletion is unacceptable
> for reliable operation.
>
> To solve these 2 issues, we need to delay old session data deletion.
> Delete old session data 60 seconds later, for example.
>
> If there is any other feasible solutions are welcome. I cannot think of
> any.
>

Current behavior (leaving active session that attackers may be abusing) is
far from optimal. I can only think of delayed deletion as the solution for
this.

Delayed session deletion implementation has 2 options. (Introducing
separate API has severe overheads. Thus, it's not an option)
 - set and check time stamp in $_SESSION. (Keep save handler/serializer
compatibility)
 - set and check time stamp in raw session data. (Need save
handler/serializer modification)

This is "must be fixed" design problem for new release. IMHO.
I don't mind which new release, but this should be fixed someday.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3275cbf3b3104f4886afb--