Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73307
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15427 invoked from network); 19 Mar 2014 19:33:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Mar 2014 19:33:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.51 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.51 mail-la0-f51.google.com  
Received: from [209.85.215.51] ([209.85.215.51:40923] helo=mail-la0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A5/A1-05195-401F9235 for <internals@lists.php.net>; Wed, 19 Mar 2014 14:33:25 -0500
Received: by mail-la0-f51.google.com with SMTP id pv20so326716lab.24
        for <internals@lists.php.net>; Wed, 19 Mar 2014 12:33:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=uuPjfJbdkeGQF1A2kAWqFBditELrPuttsKadjSkV18U=;
        b=HrOLSiiE2FhVsJ61z2yB0rIjo5TJv2GyM8C7CHg2+sMeuIs97qpnlVFKOdSzxvHUui
         V2hv05mB39nsawBDPD7Y4x9vtJ47LmkLT+k23bPJ8rzZDwWZOrTJltmSd0/fzVfmcDoT
         ckkLAlCOEFr2p5xBzRIHdFCG5HmCmUy9fUzxQnyadBtFEPAFgzapqVpOnXxISHInn9FE
         x1rIP4gneYFeQjMklRdAsHW6MYZyMxX5BmMXK3B3l8yeUmW/myYJQXnKSs9XQ6X1ggnc
         uNfNs93rBSSA3haCj42HJZtNjtDc1yX/EGOFSyfKxEEa1hhKVjGy+T9kxA9f/AYtKAlb
         mf4g==
X-Received: by 10.112.47.3 with SMTP id z3mr3401204lbm.34.1395257601931; Wed,
 19 Mar 2014 12:33:21 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Wed, 19 Mar 2014 12:32:41 -0700 (PDT)
In-Reply-To: <5329E37C.5000106@sugarcrm.com>
References: <CAGa2bXYJqGqegGy=rYcDBXd8RmFFR9j=p2m63ZVSADoga+vwhg@mail.gmail.com>
 <5329E37C.5000106@sugarcrm.com>
Date: Thu, 20 Mar 2014 04:32:41 +0900
X-Google-Sender-Auth: nC21MHTjE3r5nmemq6q0XKXAfAc
Message-ID: <CAGa2bXaDA=EhqgxZLqkBjTJqPyeogma1oC8L8NiTKx3WKp-rUg@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1133ab62bbbeae04f4fab947
Subject: Re: [PHP-DEV] [RFC] [Discussion] Secure session_regenerate_id()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1133ab62bbbeae04f4fab947
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Thu, Mar 20, 2014 at 3:35 AM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > Secure session_regenerate_id()
> > https://wiki.php.net/rfc/session_regenerate_id
>
> Reading this RFC, I have the following thoughts:
>
> 1. The name is a misnomer. session_regenerate_id is secure with "true"
> setting that deletes the session immediately. There's no security
> problem there. There might be usability problem for those that want to
> keep session around longer, but that's a different thing. Claiming that
> this RFC is necessary for secure session regeneration is not correct.
>

Strictly speaking, your view would be right. I don't mind giving better name
for this RFC. Any suggestion?

I'm recognizing reliability/availability as a part of security.
ISO 27000 defines it's a part of security.

 2. This functionality (limited-time soft deletion) can be very easily
> implemented in user-space - just add the timestamp before doing the
> regenerate and then checking for that variable in session_start. The
> amount of code that needs to be added is very small so I don't see why
> it requires any changes in the engine.
>

User may/can do this. I see this as task of HTTP session manager.
Session manager can do this task and users don't have to know they
must have it. It will provide better security for many applications/users.

Secure behavior by default is the way to go. IMO.
There are too many pitfalls in web application. We should try to mitigate
them
as many as possible where it could be done.

 3. Session functions never threw exceptions and making them throw
> exceptions would break existing code, resulting in fatal errors. I don't
> think it is a good idea to do such thing in a minor version. If we move
> in next major to more widespread exception usage, it'd be fine but such
> as it is now, exceptions would certainly not be expected coming from
> session_start.
>

I agree with this. It may be delayed until PHP6.

Work round would be configurable exception/error or set ether negative or
very large value for regenerate_id_expire to disable this.

Current behavior is the same as "session.regenerate_id_expire=FOREVER"
We may set "session.regenerate_id_expire=300" or larger as default.
300 would be safe enough for under normal circumstance.

Although I think all user should handle the exception, it may require
code modification.

session.regenerate_id_exception=0 or 1
   where 0 for 5.x, 1 for 6.x.

would be nice to have. User needs time to adopt exception. "Introducing this
now and enable by default later" seems better approach for users.

Thank you for point it out.
I'll add this to the RFC.


> I'm also not sure what such exception would be useful for. So, say,
> somebody accesses your site with stale session. You can not know if it
> were an attack or just some user clicking an old link with a stale
> cookie. You can not do anything with it but issue new session. So why
> have that exception at all?
>

The exception is just a trigger for developers. Web application may have
history/list of sessions. Developer may ask user to check these, for
example.
This cannot be a session manager task, so developers must handle exception
for usable way.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1133ab62bbbeae04f4fab947--