Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73201
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54957 invoked from network); 17 Mar 2014 02:16:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Mar 2014 02:16:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:61729] helo=mail-lb0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/34-20890-6FA56235 for <internals@lists.php.net>; Sun, 16 Mar 2014 21:16:23 -0500
Received: by mail-lb0-f178.google.com with SMTP id s7so3305744lbd.9
        for <internals@lists.php.net>; Sun, 16 Mar 2014 19:16:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=4RwQ7L0ZRgoA/JqpeCI+0oOPqL6DXJw+ptsasSum1VY=;
        b=M7WQDIx3N4jl45ovz3YR1XrM5PnAoRbDYlweHj2+WrnPOPkSdnpoNSS0CW6/1RL7yA
         i3U+zcyuogB6TrZ9ZsPu50jiMSvcsKo4DZSq7sAaydKXZr7bAc4E4PqOUOCe4S0p1/l4
         a9Vc0JzcxRA9S88IwCRk4bFmZZk1LhWK2+zDPdwKrcP6ywNxouzG23hAktSYbgwRNIhZ
         cLAi/Ta4EmlJJo/qxoSRFyIaD30Yn0b0GmMaAquevn+EkesakOjABHt6eA3cwueLS9ua
         f0ilYE4dRhqZDAiEkS6L+MLU7zZBnPtEHiQf1sLHgd9HAlTzRCkpjb1MvZQi+AHQNny6
         cWNw==
X-Received: by 10.152.1.8 with SMTP id 8mr14862317lai.1.1395022579806; Sun, 16
 Mar 2014 19:16:19 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Sun, 16 Mar 2014 19:15:39 -0700 (PDT)
In-Reply-To: <20140316085339.GA92540@mail>
References: <CAGa2bXZT8w9=usaPcJzs8NaiGfCpqvw3NVOBvTuGmSAs3vwxEQ@mail.gmail.com>
 <20140314074112.GB26909@mail> <CAGa2bXYQXgJi2jxLxR4iCKb79LwQREUHLZ0z-+D5c-8fd6P1Kw@mail.gmail.com>
 <20140314110326.GA80300@mail> <CAGa2bXZjP7kgJ_03-mafaK5OCAfONnPNOrhu0-7XYFxRTK03DA@mail.gmail.com>
 <20140316085339.GA92540@mail>
Date: Mon, 17 Mar 2014 11:15:39 +0900
X-Google-Sender-Auth: Ds2sesf_796kzNsJXL6vK1H72Sw
Message-ID: <CAGa2bXYXx5e9fDxLWNyUfkNxHcwjkV7g82iNtgC=-LeuoMYArg@mail.gmail.com>
To: Mateusz Kocielski <shm@digitalsun.pl>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0122813252b8f604f4c4011f
Subject: Re: [PHP-DEV] Solution for session_regenerate_id() issues
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0122813252b8f604f4c4011f
Content-Type: text/plain; charset=UTF-8

Hi Mateusz,

On Sun, Mar 16, 2014 at 5:53 PM, Mateusz Kocielski <shm@digitalsun.pl>wrote:

> On Sat, Mar 15, 2014 at 08:46:29AM +0900, Yasuo Ohgaki wrote:
>
> > Application means client side application?
> >
> > Suppose you have gallery application that only shows user's photo. Every
> > request
> > for photo should use authenticated session. If
> session_regenerate_id(TRUE)
> > is called
> > during page rendering, what happens?
>
> By application I meant client side application. I don't believe that
> periodically regenerating session introduces better security. Regarding the
>

Stealing session ID is easy even with HTTPS. Therefore, changing session ID
is
the security best practice to mitigate risk.


> case you provide, if session_regenerate_id(TRUE) is used in the page which
> contains photos, then all requests for images will contain new session
> cookie. (If browser requests for photos, then body of the document was
> received, thus also headers with new cookie was received). If
> session_regenerate_id() is used elsewhere, then I think that it's not our
> problem.


It's session manager problem. Currently, session module allows to exploit
stolen session
as long as app allows even when user follows security best practice. i.e.
call session_regenerate_id()
periodically. I think almost all apps do not have proper mitigation.

There must be mitigation and it could be done with deletion time stamp by
session manager.
It's a session manager design issue. Session manager should provide
mitigation rather than leaving
it to users. IMO.

I copied following lines from previous my mail just in case you missed it.

Users may set timeout flag in $_SESSION array and check the value if
session could be active or not. In order to do that in user land, one may do

session_start()
// ** check timeout flag **
if (!empty($_SESSION['VALID_UNTIL']) && $_SESSION['VALID_UNTIL'] < time()) {
   session_destroy();
   trigger_error('Possible session hijack attack detected');
   die('Possible session hijack attack detected');
}

// ** set timeout flag **
if ($_SESSION['LAST_REGENERATE'] < time() + 600) {
  $_SESSION['VALID_UNTIL'] = time() + 60; // Shorter is better, but rather
large value is set for lost radio/hand over/etc. Old session is allowed to
use as valid session for 60 seconds.
  session_commit(); // Need to save above data in old session.
  session_start();
  $_SESSION['LAST_REGENERATE'] = time(); // Update regenerate time here.
  session_regenerate_id(); // New session ID and old session data with old
session ID is left
  unset($_SESSION['VALID_UNTIL']; // This session should not be deleted
later.
}


> However, we should update our documentation to note the problem.
>
> BTW,
>
> https://bugs.php.net/search.php?cmd=display&search_for=session_regenerate_id
> - it seems that users also don't see this issue as a problem.
>

Two of them are mine ;)


>
> > Of course attacker may, but
> >
> > If session is hijacked,
> >  - User could know attack if session ID is regenerated by attacker.
> >  - Attacker could know there is hijack protection if session ID is
> > regenerated by user.
> >
> > This is much better than current. Risk is mitigated rather than left
> open.
> > BTW, almost all security measures are mitigation.
> >
>
> I don't see how risk is mitigated in that case. User will lose session (if
> it
> was regenerated by attacker) which probably result in logout, I don't
> believe
> that typical user will be alarmed.


Session manager can raise error for invalid access. Programmer may catch
the
error and warn user/attacker if users are cautious.


> As a result we'll get an attacker and user
> using distinct sessions - how many applications already deny using two
> distinct sessions for one account?


This one is user (PHP developer) issue since session manager does not know
about users. Web apps may allow or disallow multiple sessions. It's
developer's choice.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0122813252b8f604f4c4011f--