Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73332 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87199 invoked from network); 20 Mar 2014 10:04:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2014 10:04:28 -0000 Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.46 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.213.46 mail-yh0-f46.google.com Received: from [209.85.213.46] ([209.85.213.46:57782] helo=mail-yh0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 34/79-33112-B2DBA235 for ; Thu, 20 Mar 2014 05:04:28 -0500 Received: by mail-yh0-f46.google.com with SMTP id b6so532294yha.5 for ; Thu, 20 Mar 2014 03:04:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zu3p9U7m4ZM2WUUCwHKLAOGvKCtTY/YP9/R882oo61I=; b=ZeqCHP9LUUJzl8Va89BCQPB37H42aYBSXs0pmwTVgFtOVkLnNZdI9iwrsGYJRFivhW add48umjC6sygptyf/+HIMFAhTw9DiYiqBKQnJrA44xYFsOwxX7Ruy8SMnPnOvHz+jla 5j0w4RXQUJlWfRshCnX6JwpXmRp4CR1n4cJtU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zu3p9U7m4ZM2WUUCwHKLAOGvKCtTY/YP9/R882oo61I=; b=W6YGZW8GTN+7oYlUfpMF1wwcM5naAzN4u8xImfpQ0afK/sgwJvQ6YlChuGOCmP4GZA KpJjXmv+fDzgw7mrmuUaSxzmLayyxdgUpO1QFi2qFetR1+VrwXEdmr4tno53xoGO/0oZ +jU+p+czIyO2OnILsTcpP2ChZXnSfnudcvV6q1LKJT5Z3nA7UDZ+OvoMH6Hv+qlxtq9l hpV0mf8LOUYPUEp6Ufg7mcuaYF89RVoA0+sSuXTzcJn+S4xj0HnJ/ZAYgHukjBe9uxiO aryM3CEBspyS5aiY9HT1hqJfSF3tEvvWUTLfipCFep0Qzv5rGcrdlumQMMO60LMBVjQv Rtmg== X-Gm-Message-State: ALoCoQm3iAKhRo0pWF2fgVBtUBL75Sc6no5XYFf6vciqTEzg2iBo0SBLBH93/SfzR6hfDNa+bWK8 MIME-Version: 1.0 X-Received: by 10.236.38.74 with SMTP id z50mr2413156yha.134.1395309863717; Thu, 20 Mar 2014 03:04:23 -0700 (PDT) Received: by 10.170.188.139 with HTTP; Thu, 20 Mar 2014 03:04:23 -0700 (PDT) In-Reply-To: <20140320094913.GB65574@mail> References: <20140319080229.GA83863@mail> <20140319111131.GB83863@mail> <20140320082346.GA61204@mail> <20140320091326.GA65574@mail> <20140320094913.GB65574@mail> Date: Thu, 20 Mar 2014 12:04:23 +0200 Message-ID: To: Mateusz Kocielski Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [Discussion] Secure session_regenerate_id() From: narf@devilix.net (Andrey Andreev) Hi, On Thu, Mar 20, 2014 at 11:49 AM, Mateusz Kocielski wrote: > On Thu, Mar 20, 2014 at 11:26:13AM +0200, Andrey Andreev wrote: > >> > This race condition will not change with or without my proposal. >> >> Which is another reason to leave this to user code: >> >> ajax_safe_regenerate_id($delete = TRUE) >> { >> if ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && >> strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest') >> { >> return FALSE; >> } >> >> return session_regenerate_id($delete); >> } > > This is not going to work properly, there's still race. I think that the best > solution is to handle race on client side (send request once more on session > error). There's no race condition, because there's no regeneration if the request is done through Ajax (provided that the X-Requested-With header is sent to tell us about that, which popular JS frameworks do), that is the root cause of the problem. But the bottom line is - it depends on client side implementation, and this is an application design detail. It can't be solved by PHP. Cheers, Andrey.