Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73142
Return-Path: <shm@digitalsun.pl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34197 invoked from network); 14 Mar 2014 07:41:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Mar 2014 07:41:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=shm@digitalsun.pl; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=shm@digitalsun.pl; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain digitalsun.pl from 176.31.254.40 cause and error)
X-PHP-List-Original-Sender: shm@digitalsun.pl
X-Host-Fingerprint: 176.31.254.40 turing.digitalsun.pl  
Received: from [176.31.254.40] ([176.31.254.40:51854] helo=mail)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4E/1F-47923-D92B2235 for <internals@lists.php.net>; Fri, 14 Mar 2014 02:41:18 -0500
Received: from localhost (10000@localhost [local]);
	by mail (OpenSMTPD) with ESMTPA id f3cd882b;
	Fri, 14 Mar 2014 07:41:13 +0000 (UTC)
Date: Fri, 14 Mar 2014 07:41:13 +0000
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <20140314074112.GB26909@mail>
References: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [PHP-DEV] Solution for session_regenerate_id() issues
From: shm@digitalsun.pl (Mateusz Kocielski)

On Thu, Mar 13, 2014 at 01:03:15PM +0900, Yasuo Ohgaki wrote:
> Hi all,
> 
> Current session_regenerate_id() has issues. I'll try to explain what these
> are.
> 
> Issue 1: Old session data is not deleted.
> 
> session_regenerate_id() does not delete old session by default. It leaves
> old session available. When attacker could steal session ID via
> XSS/sniffing/etc, attacker can use session ID as valid ID as long as
> application allows. No detection/prevention of security breach is possible
> at session module level. This behavior is unacceptable for security reason.
> 
> Issue 2: Old session data cannot be deleted.
> 
> session_regenerate_id(TRUE) deletes old session data immediately. It's good
> for security, but if there are multiple connections from a client to server
> (e.g. AJAX/iframe/tabs/etc),  valid connection may fail since it could be
> using old session ID. Therefore, session_regenerate_id() does not delete
> old session data. Immediate session data deletion is unacceptable for
> reliable operation.
> 
> To solve these 2 issues, we need to delay old session data deletion. Delete
> old session data 60 seconds later, for example.
> 
> If there is any other feasible solutions are welcome. I cannot think of any.
> 
> Regards,
> 
> P.S. Even with HTTP 2.0, old session data cannot be deleted immediately.
> User may use multiple tabs.

I'm not sure if we should handle that in PHP, application usually regenerates
session on important events (i.e. on user login/logout etc.), so any requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?

 Regards,
 Mateusz