Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73306 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12221 invoked from network); 19 Mar 2014 18:35:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Mar 2014 18:35:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.75 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.75 smtp75.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.75] ([108.166.43.75:49472] helo=smtp75.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CB/21-05195-083E9235 for ; Wed, 19 Mar 2014 13:35:44 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 456351EDCD6; Wed, 19 Mar 2014 14:35:41 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp2.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id D057D2F922E; Wed, 19 Mar 2014 14:35:40 -0400 (EDT) Message-ID: <5329E37C.5000106@sugarcrm.com> Date: Wed, 19 Mar 2014 11:35:40 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki , "internals@lists.php.net" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] [Discussion] Secure session_regenerate_id() From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > Secure session_regenerate_id() > https://wiki.php.net/rfc/session_regenerate_id Reading this RFC, I have the following thoughts: 1. The name is a misnomer. session_regenerate_id is secure with "true" setting that deletes the session immediately. There's no security problem there. There might be usability problem for those that want to keep session around longer, but that's a different thing. Claiming that this RFC is necessary for secure session regeneration is not correct. 2. This functionality (limited-time soft deletion) can be very easily implemented in user-space - just add the timestamp before doing the regenerate and then checking for that variable in session_start. The amount of code that needs to be added is very small so I don't see why it requires any changes in the engine. 3. Session functions never threw exceptions and making them throw exceptions would break existing code, resulting in fatal errors. I don't think it is a good idea to do such thing in a minor version. If we move in next major to more widespread exception usage, it'd be fine but such as it is now, exceptions would certainly not be expected coming from session_start. I'm also not sure what such exception would be useful for. So, say, somebody accesses your site with stale session. You can not know if it were an attack or just some user clicking an old link with a stale cookie. You can not do anything with it but issue new session. So why have that exception at all? -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227