Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73142 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34197 invoked from network); 14 Mar 2014 07:41:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Mar 2014 07:41:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=shm@digitalsun.pl; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=shm@digitalsun.pl; sender-id=unknown Received-SPF: error (pb1.pair.com: domain digitalsun.pl from 176.31.254.40 cause and error) X-PHP-List-Original-Sender: shm@digitalsun.pl X-Host-Fingerprint: 176.31.254.40 turing.digitalsun.pl Received: from [176.31.254.40] ([176.31.254.40:51854] helo=mail) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4E/1F-47923-D92B2235 for ; Fri, 14 Mar 2014 02:41:18 -0500 Received: from localhost (10000@localhost [local]); by mail (OpenSMTPD) with ESMTPA id f3cd882b; Fri, 14 Mar 2014 07:41:13 +0000 (UTC) Date: Fri, 14 Mar 2014 07:41:13 +0000 To: Yasuo Ohgaki Cc: "internals@lists.php.net" Message-ID: <20140314074112.GB26909@mail> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [PHP-DEV] Solution for session_regenerate_id() issues From: shm@digitalsun.pl (Mateusz Kocielski) On Thu, Mar 13, 2014 at 01:03:15PM +0900, Yasuo Ohgaki wrote: > Hi all, > > Current session_regenerate_id() has issues. I'll try to explain what these > are. > > Issue 1: Old session data is not deleted. > > session_regenerate_id() does not delete old session by default. It leaves > old session available. When attacker could steal session ID via > XSS/sniffing/etc, attacker can use session ID as valid ID as long as > application allows. No detection/prevention of security breach is possible > at session module level. This behavior is unacceptable for security reason. > > Issue 2: Old session data cannot be deleted. > > session_regenerate_id(TRUE) deletes old session data immediately. It's good > for security, but if there are multiple connections from a client to server > (e.g. AJAX/iframe/tabs/etc), valid connection may fail since it could be > using old session ID. Therefore, session_regenerate_id() does not delete > old session data. Immediate session data deletion is unacceptable for > reliable operation. > > To solve these 2 issues, we need to delay old session data deletion. Delete > old session data 60 seconds later, for example. > > If there is any other feasible solutions are welcome. I cannot think of any. > > Regards, > > P.S. Even with HTTP 2.0, old session data cannot be deleted immediately. > User may use multiple tabs. I'm not sure if we should handle that in PHP, application usually regenerates session on important events (i.e. on user login/logout etc.), so any requests with old session should be denied, and this can be achieved using session_regenerate_id(TRUE). Wouldn't it be better to write a security note in the documentation rather than making whole thing more complex? Regards, Mateusz