Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73554
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40376 invoked from network); 3 Apr 2014 09:32:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Apr 2014 09:32:01 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:50454] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BC/14-15417-09A2D335 for <internals@lists.php.net>; Thu, 03 Apr 2014 04:32:01 -0500
Received: by mail-yh0-f49.google.com with SMTP id z6so1388790yhz.22
        for <internals@lists.php.net>; Thu, 03 Apr 2014 02:31:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=zwXxtr7pe1SbkL1ajDf3foyoH7yih2qootOUQLzubEc=;
        b=czq2fcHoedUUH6ILptUsuKMzkUWCAwSNCrPEOIaJSxs+w+O1uLmH72tmv5qHyR9CoW
         s/kC6RcxtqpB+PyHC1ncsUr4QwVkZPHKDgRjZ/CzQEadUVLtHPYs/w6JEaflatEyN2/Z
         TfU3uvudp+qAmdbNPHAVkyNfU4kAvDn8bbdxA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=zwXxtr7pe1SbkL1ajDf3foyoH7yih2qootOUQLzubEc=;
        b=QO86L9/iXoe3Wm4ipq5q+sSAsw4bWjUdGyocyOLOtY/x8lCAHF82o1CS3dEF2VYa2O
         amvUf4pCootxnIE1+uSUKGOPIvR6mLJjCmUEZuqVjA0LXU6FIrHEGhzKR5Ox5/v6wCp7
         zOoBfpkKXVsmoWyesD/OporhenaVz4esD0ABHdRhTa71nM5WTAaMj7mrN1/p/tfykJVA
         y2f8cOEdtep3lZwIRfgQdxOedL/PRDFzdSMNvVjCQlNuRvv3rmKYtpuuwOOGCt++SGNB
         mTTXxi5c/jPhcPkfDX0ImBMir3j1XKCNXvRQ1vHhqgPLDWAye1zgnDN51MkKnYaLeuVB
         wIzg==
X-Gm-Message-State: ALoCoQm2vc1x83xBTfNvNCDYTQYc3SYiJfQ9WsM0Ek/vxL9tx56B/9mBQnLkqzXD8MaoPEnJaUiB
MIME-Version: 1.0
X-Received: by 10.236.35.201 with SMTP id u49mr7016777yha.98.1396517518452;
 Thu, 03 Apr 2014 02:31:58 -0700 (PDT)
Received: by 10.170.188.139 with HTTP; Thu, 3 Apr 2014 02:31:58 -0700 (PDT)
In-Reply-To: <CAGa2bXbwqn5NsTVLDsF01qTEQqX5bzzS=wTDQXtetkKwDY5a0g@mail.gmail.com>
References: <CAPhkiZxPZPatCKsCCih3YnOUmoUydk6MCvFjFB=AVvS-6bDYUQ@mail.gmail.com>
	<CAGa2bXb1ijUNA=RNFaTDnT7JjuVjWHp1aAiFxFXbCMwQqP-GjQ@mail.gmail.com>
	<CAPhkiZztkiKJQhU8ajajzUWOkbj_Hzon+8iCAVErRw=cMQGA8w@mail.gmail.com>
	<CAGa2bXbRjDZ6j-HuOTbv7OYO8=8nNxwhqKP7kDD=8e6Hnuqs+w@mail.gmail.com>
	<CAPhkiZwkdzzppBjsiFvFh7_mmWtbCKfo=OtYt-1RoB=4Kkcrzg@mail.gmail.com>
	<CAGa2bXYKtKX24p=XfTZdT_2E_543JDmZit6cKGMTLr-GuU7++A@mail.gmail.com>
	<CAPhkiZyP3TOb8Y48GB58zYD6oSbpQ7k5Ngk6Yn2sd4YcJzRwPg@mail.gmail.com>
	<CAGa2bXafy794OxJDk0CNTaY5Te98O84HFAyuMJU7s819bX+tHw@mail.gmail.com>
	<CAPhkiZwosTiKRudaNDhsoXHxkXjP=Qd_T4DCwhFmdJkVRmV=KA@mail.gmail.com>
	<CAGa2bXbwqn5NsTVLDsF01qTEQqX5bzzS=wTDQXtetkKwDY5a0g@mail.gmail.com>
Date: Thu, 3 Apr 2014 12:31:58 +0300
Message-ID: <CAPhkiZyhM9TB=+ASkk2v3U31o5YefCYZx8hnOaWNQEAwJt-q+w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default
From: narf@devilix.net (Andrey Andreev)

Hi,

>> > Regarding "_" addition to files save handler, it may not be RFC issue as
>> > it
>> > does not break anything at all. Just an simple addition of safe char
>> > that
>> > is needed for new safe prefixed session ID with hash bits=6. It may
>> > apply
>> > even prefixed session. I think there are many changes like this w/o RFC.
>> >
>> > I tried to write RFC to be minimum and sufficient. I should add more
>> > description
>> > if it is not. Or add link of this thread. I think it's preferred way.
>>
>>     Changing default settings in the proposed way makes ext/session
>> more secure by default.
>>
>>     Adding a new parameter to session_id() only gives users an easier
>> way to do complete a task that they otherwise *could* do the wrong
>> way.
>>
>> The first has real, straight-forward impact on security and doesn't
>> change existing functionality.
>> The second only *might* lead to some userland code being more secure
>> and it is questionable if that's the proper tool for the job. I for
>> one would like more tools that allow me to change a session's
>> behavior, but a prefix is not one of them.
>
>
> If you handle millions of sessions and would like to find specific
> active sessions with marginal overhead, prefixing is the way to
> go. Many users may not need it, but there are users who need.

Or, you could prefix (or add another field to check against) it in
storage, but leave the session ID itself untouched. That's not the
point though ... this just isn't a security feature and the RFC is
about improving security.

Can we move this forward now? I don't think there's anything more to discuss.
Btw, I'm still a proponent of changing hash_bits_per_character as
well, but IMO that may be done separately, without an RFC.

Cheers,
Andrey.