Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73193
Return-Path: <shm@digitalsun.pl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12726 invoked from network); 16 Mar 2014 08:53:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Mar 2014 08:53:48 -0000
Authentication-Results: pb1.pair.com smtp.mail=shm@digitalsun.pl; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=shm@digitalsun.pl; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain digitalsun.pl from 176.31.254.40 cause and error)
X-PHP-List-Original-Sender: shm@digitalsun.pl
X-Host-Fingerprint: 176.31.254.40 turing.digitalsun.pl  
Received: from [176.31.254.40] ([176.31.254.40:57793] helo=mail)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 76/91-32849-79665235 for <internals@lists.php.net>; Sun, 16 Mar 2014 03:53:46 -0500
Received: from localhost (10000@localhost [local]);
	by mail (OpenSMTPD) with ESMTPA id 264bcc18;
	Sun, 16 Mar 2014 08:53:39 +0000 (UTC)
Date: Sun, 16 Mar 2014 08:53:39 +0000
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <20140316085339.GA92540@mail>
References: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
 <20140314074112.GB26909@mail>
 <CAGa2bXYQXgJi2jxLxR4iCKb79LwQREUHLZ0z-+D5c-8fd6P1Kw@mail.gmail.com>
 <20140314110326.GA80300@mail>
 <CAGa2bXZjP7kgJ_03-mafaK5OCAfONnPNOrhu0-7XYFxRTK03DA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGa2bXZjP7kgJ_03-mafaK5OCAfONnPNOrhu0-7XYFxRTK03DA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [PHP-DEV] Solution for session_regenerate_id() issues
From: shm@digitalsun.pl (Mateusz Kocielski)

On Sat, Mar 15, 2014 at 08:46:29AM +0900, Yasuo Ohgaki wrote:

> Application means client side application?
> 
> Suppose you have gallery application that only shows user's photo. Every
> request
> for photo should use authenticated session. If session_regenerate_id(TRUE)
> is called
> during page rendering, what happens?

By application I meant client side application. I don't believe that
periodically regenerating session introduces better security. Regarding the
case you provide, if session_regenerate_id(TRUE) is used in the page which
contains photos, then all requests for images will contain new session
cookie. (If browser requests for photos, then body of the document was
received, thus also headers with new cookie was received). If
session_regenerate_id() is used elsewhere, then I think that it's not our
problem. However, we should update our documentation to note the problem.

BTW,
https://bugs.php.net/search.php?cmd=display&search_for=session_regenerate_id
- it seems that users also don't see this issue as a problem.

> Of course attacker may, but
> 
> If session is hijacked,
>  - User could know attack if session ID is regenerated by attacker.
>  - Attacker could know there is hijack protection if session ID is
> regenerated by user.
> 
> This is much better than current. Risk is mitigated rather than left open.
> BTW, almost all security measures are mitigation.
> 

I don't see how risk is mitigated in that case. User will lose session (if it
was regenerated by attacker) which probably result in logout, I don't believe
that typical user will be alarmed. As a result we'll get an attacker and user
using distinct sessions - how many applications already deny using two
distinct sessions for one account?

 Regards,
 Mateusz Kocielski