Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73325 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74764 invoked from network); 20 Mar 2014 08:55:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2014 08:55:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.49 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com Received: from [209.85.213.49] ([209.85.213.49:44127] helo=mail-yh0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DF/D6-33112-4FCAA235 for ; Thu, 20 Mar 2014 03:55:17 -0500 Received: by mail-yh0-f49.google.com with SMTP id z6so469930yhz.36 for ; Thu, 20 Mar 2014 01:55:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=R3LJxS5fw9Z5MGdVicT711UKEiWGgkCUShqwtthWQcc=; b=fEA/GHkI7ZO4ZJc/vit+NTMnnQLozljN/GFKYuiWUvtFJjKLM3lDg7OqktSpF1lv2a 342IVjmRYY0InHXtxAII/A5kfO3c2InVXj1i+BH6Fl3rPQmXhWxaCvfjlEy5wGSJcDlA Ed8icD1QUs5LQjWVayV1EBKPzAAn/Y8hdc+7s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=R3LJxS5fw9Z5MGdVicT711UKEiWGgkCUShqwtthWQcc=; b=dcQ7Hoqf3dKGXHdv3G2Edyctke5EQH10HsBwQkbC2v5H0lLdvhtKbSUXCV2e0COiNX fNoz/ptkNpjbe9zXKEP4aOR8mKyuWix1xrnR9Dy5J3jPx//SL4ZCH78K1emtiW1oitUK 3pfp8jLJXHhnfDCYwFXD8WY5xSqwFqBXca9369ovJ1HS5k3idncp2qYgbbqaVh2fLl5x rqNuzqGsiLawVIEBykBk3nj4WiRjyiywktxiyczM3jgrkfQ15L8yn1xDf1dZ2kemQKBZ /y1dqJJ4LgmGq93enySQLbO4wLGNjKX/OmaFCh09H6YLT7VImhdiwaxyKZhBO0VrHSFA WTEQ== X-Gm-Message-State: ALoCoQlx0WGU/LGFyj3iXtXNwieURn1D6mD75A7dXnTE/MU+wt2ZudRcpOgK7DSR9wFxHOtojLue MIME-Version: 1.0 X-Received: by 10.236.100.226 with SMTP id z62mr16997124yhf.111.1395305713675; Thu, 20 Mar 2014 01:55:13 -0700 (PDT) Received: by 10.170.188.139 with HTTP; Thu, 20 Mar 2014 01:55:13 -0700 (PDT) In-Reply-To: References: <5329E37C.5000106@sugarcrm.com> <532A43C5.309@sugarcrm.com> Date: Thu, 20 Mar 2014 10:55:13 +0200 Message-ID: To: Yasuo Ohgaki Cc: Pierre Joye , Stas Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [Discussion] Secure session_regenerate_id() From: narf@devilix.net (Andrey Andreev) Hi, > I think most PHP users are using session module as complete tool for their > web applications. > They rely on it for proper session management even if the manual explains > HTTP session > management cannot be trusted. You can't fix people's perceptions, and as Mateusz previously noted - you're trying to fix a problem that appears in an upper layer, that just isn't possible. > Since HTTP session management cannot be trusted, ID regeneration is > required to mitigate > risks. However, current session_regenerate_id() behavior can be called > optimum hardly. > It does not make sure obsolete session is deleted nor does not raise alarm > for possible > abuse. When it deletes old session, it is unreliable. > > ... > > Leaving active session behind is unacceptable risk to me. > I fail to understand why some of us do not see the risk of current HTTP > session > management and/or it should be part of user code. You keep repeating this argument that deleting the old session is unreliable, not secure, unacceptable. That is simply not true. Yes, it's a good practice to try to detect attacks and log them, etc., but it's not mandatory, not doing it is not insecure, not a risk, and it is up to the application developer to decide whether or not to do it and/or how to do it. There's no silver bullet for this. > How about serializer wrapper? It's a different approach, but otherwise the same thing. Cheers, Andrey.