Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73216
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1988 invoked from network); 17 Mar 2014 11:47:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Mar 2014 11:47:53 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com  
Received: from [209.85.217.182] ([209.85.217.182:43549] helo=mail-lb0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 37/B3-17561-8E0E6235 for <internals@lists.php.net>; Mon, 17 Mar 2014 06:47:52 -0500
Received: by mail-lb0-f182.google.com with SMTP id n15so3581666lbi.13
        for <internals@lists.php.net>; Mon, 17 Mar 2014 04:47:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=mXg1eGe+crFWEKLSDguc4M30mtQmFLPFHJMr6kIv5TQ=;
        b=QoYF+O+duZNDH2okHQ1uNGIo/93S1d/3tmRCCibjSnfLBbC1BP4jTy252VwDG5MPVt
         lD3qEsVylEQb4a0A9ZuP/PRUgGNFH1Z6oW7E6JQbFXjKi8oeFSTOdkVResdohScHCJ5w
         1n52iaqVKVnewnHTmXmjqLnrZ2thbVhw0lIbzoVRFEwbiMFvCyyicucqHykjuJcWRsJX
         Q0/ufhzFZM7D+YMFkF5Rai7IWNVHw3RB51QE98fFMYbfcUddRQuKkjyZkIb6KdF/UNKa
         RnYIqegNNc/lxEYEFCOTjN68FlT1Y0E/MIOG1M6R4KAbDmpL105rY/zKP8Kspi4GVj9F
         FFzg==
X-Received: by 10.152.4.41 with SMTP id h9mr737665lah.43.1395056869440; Mon,
 17 Mar 2014 04:47:49 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Mon, 17 Mar 2014 04:47:08 -0700 (PDT)
In-Reply-To: <CAPhkiZz4bN8XQOtkeyXMArgdngHVjHY+0gf-Qnb9RY8xrxOZTg@mail.gmail.com>
References: <CAPhkiZz4bN8XQOtkeyXMArgdngHVjHY+0gf-Qnb9RY8xrxOZTg@mail.gmail.com>
Date: Mon, 17 Mar 2014 20:47:08 +0900
X-Google-Sender-Auth: Rki936UA5Tj4x6R1LcZzbxzgORM
Message-ID: <CAGa2bXbF5ip_rzt+P3vc1ReEU-RoP5vGOnrTTDpTLeMGSLDrAg@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013d1fde24fffb04f4cbfd0d
Subject: Re: [PHP-DEV] Solution for session_regenerate_id() issues
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e013d1fde24fffb04f4cbfd0d
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Mon, Mar 17, 2014 at 8:00 PM, Andrey Andreev <narf@devilix.net> wrote:

> I don't think delaying deletion is a good idea, it just brings more
> complexity to the whole process and I can't really imagine how it
> would be handled, since PHP is not run as a daemon - this is the
> reason why the session GC is triggered by chance instead of running as
> some type of a cron job.
>
> Applications usually handle this by not regenerating session ID during
> an ajax request. Most JS frameworks would send a 'X-Requested-With:
> XMLHttpRequest' header to provide a way for Ajax detection, and PHP
> frameworks have helper methods to look for that header. Even if they
> don't - anybody can implement a similar solution for their own
> application.
>
> With that said, I'd rather give a +1 for changing the
> session_regenerate_id() default action from "don't delete" to
> "delete", like you've previously suggested.
>
> Btw, I wouldn't worry about stolen session IDs ... if somebody steals
> it once, they'll do it after regeneration as well. Session ID
> regeneration is only effective against brute-force attacks.
>

Do you realize that stolen session could be used by attackers without
any indication currently? Unlike read_only, this is not about legitimate
user's
request. It's very easy to set up fake router by ARP spoofing. Stripping
HTTPS
is simple task and almost all users don't care about if HTTPS is used or
not.
Script kiddy is enough to steal session ID.

To mitigate regeneration risk and keep session availability at the same
time,
delayed deletion is mandatory. It's also better than immediate deletion
because
it allows to detect possible attack. As you mentioned, if session ID could
be
stolen, session ID may be stolen as many times as attacker wants.

Keeping session ID secure as much as possible is session manager's task.
Current mitigation that relies on GC is far from optimal and not acceptable.
Immediate deletion is worse than delayed deletion.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e013d1fde24fffb04f4cbfd0d--