Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73295 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55096 invoked from network); 19 Mar 2014 03:28:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Mar 2014 03:28:29 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.181 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.181 mail-lb0-f181.google.com Received: from [209.85.217.181] ([209.85.217.181:39961] helo=mail-lb0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/DF-16983-BDE09235 for ; Tue, 18 Mar 2014 22:28:28 -0500 Received: by mail-lb0-f181.google.com with SMTP id c11so5328966lbj.26 for ; Tue, 18 Mar 2014 20:28:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=XJw7x1tAdhraHQFVuZDtGcqAwMSaslU/YXxVKtYoKNU=; b=mjO5b1ygEsuyvUdcLkFv0MpAWag1eKAxkMrjpRjYNKn52/esUiZyL3yHpaarEKcNz8 btbi/FJk9vJ5W4E+WtJB+6A+i5ncjzWZvtHa6kQG7WE6GJxajkzs7/iEzIhHjC47CyKc XLXdnqlaF3iupsrtML0GGLAS8atTm4f70iGCuw5ljSRyL6f5RhsBctwCAkwXeBfAReDN DGWnY5Rpa0yyua5L0yu7PwjLvJEhTKvCuTdpfA4qE4Ik0q+CcO1jTtMa0wv33AJtbAfz jn5VYzQKvo/i9+bdQoStjJrLEv5D6eLjNURwMZ1jYHaMdUo5w15pCzClYRbv0lDN7vYD 9tsg== X-Received: by 10.152.202.7 with SMTP id ke7mr8775187lac.30.1395199704745; Tue, 18 Mar 2014 20:28:24 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Tue, 18 Mar 2014 20:27:44 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Mar 2014 12:27:44 +0900 X-Google-Sender-Auth: kEoDWvH0f2o4HM4SgEMiW_yFG9A Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1137ef8ecacbe404f4ed3ed8 Subject: Re: Solution for session_regenerate_id() issues From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1137ef8ecacbe404f4ed3ed8 Content-Type: text/plain; charset=UTF-8 Hi all, On Thu, Mar 13, 2014 at 1:03 PM, Yasuo Ohgaki wrote: > Current session_regenerate_id() has issues. I'll try to explain what > these are. > > Issue 1: Old session data is not deleted. > > session_regenerate_id() does not delete old session by default. It leaves > old session available. When attacker could steal session ID via > XSS/sniffing/etc, attacker can use session ID as valid ID as long as > application allows. No detection/prevention of security breach is possible > at session module level. This behavior is unacceptable for security reason. > > Issue 2: Old session data cannot be deleted. > > session_regenerate_id(TRUE) deletes old session data immediately. It's > good for security, but if there are multiple connections from a client to > server (e.g. AJAX/iframe/tabs/etc), valid connection may fail since it > could be using old session ID. Therefore, session_regenerate_id() does > not delete old session data. Immediate session data deletion is > unacceptable for reliable operation. > > To solve these 2 issues, we need to delay old session data deletion. > Delete old session data 60 seconds later, for example. > > If there is any other feasible solutions are welcome. I cannot think of > any. > I've update old RFC related to this. https://wiki.php.net/rfc/session_regenerate_id I hope I've explained well enough why delayed deletion is needed. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1137ef8ecacbe404f4ed3ed8--