Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73592
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94253 invoked from network); 4 Apr 2014 09:14:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Apr 2014 09:14:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com  
Received: from [209.85.217.169] ([209.85.217.169:47835] helo=mail-lb0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 86/76-57266-9087E335 for <internals@lists.php.net>; Fri, 04 Apr 2014 04:14:50 -0500
Received: by mail-lb0-f169.google.com with SMTP id q8so2301149lbi.28
        for <internals@lists.php.net>; Fri, 04 Apr 2014 02:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=LbwR7vFHvkQEKO7UF8mEWUn2xIlM7nEZuIK3x8TPsuQ=;
        b=KkW1XrNBLBKWgV/TyI9zMnBZ92ztbGrrNAxzuqwQqdbUNx+P5REHYsb3mFTWm1zBKL
         jFESmhZmbSlcnnan3yN4e8aWJZd+JGIajlbc9ExT0j202mcbULkgbnK77wyMt7yLO7/5
         2gH3qoBNcj9vWTJMk5wHrcfXQew19UOgeDf+GGMyVwaScpzbfneHCO6DEyPilnY3eECC
         a7ZYzy507bupRjnzLAvf42htCvDM/HLHxc31HtoDYrF2bUXqmHgdBHyP9X2ZNz1g1SrQ
         nvvf24M/UmhSBhgE9lQ4GW+VYBHxiPUVNAsjUaHdWTwxciLd24bcF2mmAR4ShYHoEhJM
         /q4w==
X-Received: by 10.112.126.7 with SMTP id mu7mr7555096lbb.17.1396602887355;
 Fri, 04 Apr 2014 02:14:47 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Fri, 4 Apr 2014 02:14:07 -0700 (PDT)
In-Reply-To: <CAPhkiZyhM9TB=+ASkk2v3U31o5YefCYZx8hnOaWNQEAwJt-q+w@mail.gmail.com>
References: <CAPhkiZxPZPatCKsCCih3YnOUmoUydk6MCvFjFB=AVvS-6bDYUQ@mail.gmail.com>
 <CAGa2bXb1ijUNA=RNFaTDnT7JjuVjWHp1aAiFxFXbCMwQqP-GjQ@mail.gmail.com>
 <CAPhkiZztkiKJQhU8ajajzUWOkbj_Hzon+8iCAVErRw=cMQGA8w@mail.gmail.com>
 <CAGa2bXbRjDZ6j-HuOTbv7OYO8=8nNxwhqKP7kDD=8e6Hnuqs+w@mail.gmail.com>
 <CAPhkiZwkdzzppBjsiFvFh7_mmWtbCKfo=OtYt-1RoB=4Kkcrzg@mail.gmail.com>
 <CAGa2bXYKtKX24p=XfTZdT_2E_543JDmZit6cKGMTLr-GuU7++A@mail.gmail.com>
 <CAPhkiZyP3TOb8Y48GB58zYD6oSbpQ7k5Ngk6Yn2sd4YcJzRwPg@mail.gmail.com>
 <CAGa2bXafy794OxJDk0CNTaY5Te98O84HFAyuMJU7s819bX+tHw@mail.gmail.com>
 <CAPhkiZwosTiKRudaNDhsoXHxkXjP=Qd_T4DCwhFmdJkVRmV=KA@mail.gmail.com>
 <CAGa2bXbwqn5NsTVLDsF01qTEQqX5bzzS=wTDQXtetkKwDY5a0g@mail.gmail.com> <CAPhkiZyhM9TB=+ASkk2v3U31o5YefCYZx8hnOaWNQEAwJt-q+w@mail.gmail.com>
Date: Fri, 4 Apr 2014 18:14:07 +0900
X-Google-Sender-Auth: ze_Z5kexOAMF1GEn-U-F9nULfrA
Message-ID: <CAGa2bXYhnx+NZVBUYoGBjvR-14Yxjup86WjyyT-=vzDcib4GkA@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c36b0efe41ed04f633f22c
Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c36b0efe41ed04f633f22c
Content-Type: text/plain; charset=UTF-8

Hi all,

On Thu, Apr 3, 2014 at 6:31 PM, Andrey Andreev <narf@devilix.net> wrote:

>
> >> > Regarding "_" addition to files save handler, it may not be RFC issue
> as
> >> > it
> >> > does not break anything at all. Just an simple addition of safe char
> >> > that
> >> > is needed for new safe prefixed session ID with hash bits=6. It may
> >> > apply
> >> > even prefixed session. I think there are many changes like this w/o
> RFC.
> >> >
> >> > I tried to write RFC to be minimum and sufficient. I should add more
> >> > description
> >> > if it is not. Or add link of this thread. I think it's preferred way.
> >>
> >>     Changing default settings in the proposed way makes ext/session
> >> more secure by default.
> >>
> >>     Adding a new parameter to session_id() only gives users an easier
> >> way to do complete a task that they otherwise *could* do the wrong
> >> way.
> >>
> >> The first has real, straight-forward impact on security and doesn't
> >> change existing functionality.
> >> The second only *might* lead to some userland code being more secure
> >> and it is questionable if that's the proper tool for the job. I for
> >> one would like more tools that allow me to change a session's
> >> behavior, but a prefix is not one of them.
> >
> >
> > If you handle millions of sessions and would like to find specific
> > active sessions with marginal overhead, prefixing is the way to
> > go. Many users may not need it, but there are users who need.
>
> Or, you could prefix (or add another field to check against) it in
> storage, but leave the session ID itself untouched. That's not the
> point though ... this just isn't a security feature and the RFC is
> about improving security.
>
> Can we move this forward now? I don't think there's anything more to
> discuss.
> Btw, I'm still a proponent of changing hash_bits_per_character as
> well, but IMO that may be done separately, without an RFC.


Sure.
These are simple changes for better session security.
I have to update RFC so that everyone understand side effects of
these changes.

hash_bits_per_characters may stay the same and additional char to
files save handler could be added simply.
I'll update the RFC weekend, hopefully.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c36b0efe41ed04f633f22c--