Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90584
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56401 invoked from network); 13 Jan 2016 00:29:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2016 00:29:15 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com  
Received: from [209.85.160.173] ([209.85.160.173:35898] helo=mail-yk0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 48/CA-27877-85A95965 for <internals@lists.php.net>; Tue, 12 Jan 2016 19:29:12 -0500
Received: by mail-yk0-f173.google.com with SMTP id v14so377917812ykd.3
        for <internals@lists.php.net>; Tue, 12 Jan 2016 16:29:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=+NKkdJc0kRGEMK31/8H/urkNfR2vKIpjRzfxE5JVtts=;
        b=IlyWeWyw66QgRAznkFxHmvyN52annbvux+wOOSCqAfZqqiTe2L7aM7oJ8nOF+KDvPE
         cBP7TuB+3trUuXNYHXQye0+knHBcmQw3yLcSoFeEcwp0yT3asRn2bxXgJtawv0y3qilW
         PnMoW0CWTNtyUJ2slavCI33aTgY+fBPvrgpoxl3NRyt5+bdHA1U/ulwxR4o30BILhEGo
         YYJRlLBOCXvx3eg7eSf7T8WyyDGpW9TLLCv4LUBsU4Ln/oqVYrdnFF0dMXKLa3Odjk6F
         z4xyg1ykcAzz/6T1KxsdP/urS+k1qPOCZ8pD/HKutxDsjjaXPcDfQdKraheNESySJZH0
         M7mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=+NKkdJc0kRGEMK31/8H/urkNfR2vKIpjRzfxE5JVtts=;
        b=fprxscjfe2XIDSefvjhCmspGafpPSmjWh/euYdlvTek9UIvX+hE3nNwpGJIIBA2oo+
         fHQ0if3CmhIBQm1QxRblpAX7c9NjJ3mwwagOwtUlxIN7jmAoY1kN9L2AuzkD+IcomG5c
         GVBy1EpIpkQPjIh82kezLtFzN3Mt3TH4tSbbIq6K2LtN/yRhGidN6nBOUaSZwcQiSHSr
         s9oyGDd1Cd8PBVMSE4GPYUUnNyhrSK6x7DNvQQKnQzHbcK8abAeozgnP14Z8F8QE4CHw
         okMhdyTcW+RpypRsnBjFHmBzqgIN6sRqUGI/hPi7oJV/r8xdJNgrVHk4kkBIqrJGvP6i
         P+aA==
X-Gm-Message-State: ALoCoQl+3oCjyCWGuHUCj2Mx27AXy+USL1KWfxtP/GPlRvdYFyhBcr22uZNQltwam1gqC9hJZfw8Am5owKg3nTr9RF2iHfRHcg==
X-Received: by 10.129.60.12 with SMTP id j12mr109358968ywa.86.1452644949275;
 Tue, 12 Jan 2016 16:29:09 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Tue, 12 Jan 2016 16:28:29 -0800 (PST)
In-Reply-To: <56958637.5080807@gmail.com>
References: <CAGa2bXZzvkBDkqLF2U3yPSprQwqBdHbW9QCZ-nzjA1G4CM8QkQ@mail.gmail.com>
 <56958637.5080807@gmail.com>
Date: Wed, 13 Jan 2016 09:28:29 +0900
X-Google-Sender-Auth: NmgEbT1_74HFq5rvjbzcrM2hRM4
Message-ID: <CAGa2bXaXPdc3rJbcjHz3RC=N6vVOjaorKc9bEOeJR6s-TTs0mg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>, julien pauli <jpauli@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Fixing bug #68063
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Jan 13, 2016 at 8:03 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>> I've disallowed empty session ID, but it wasn't a
>> appropriate fix.
>>
>> https://bugs.php.net/bug.php?id=68063
>
> Could you explain a bit more about the part where there are empty IDs
> generated? You say it "is browser's cookie handling" - could you explain
> more about it?

The root cause is browser's cookie handling.
It appears that browsers do not lock cookie while updating cookies.
Therefore race condition happens and browsers send empty cookie
sometimes. I haven't checked the code, but observed it happens.

I observed handful empty cookies a day with web site has millions
accesses per day. I circumvented this issue with method described
in https://wiki.php.net/rfc/precise_session_management
It worked perfectly.

>
>> I made appropriate patch for this issue. It should be
>> applied from PHP 5.5 to master. I attached patch to
>> the bug report. Could you apply it from PHP 5.5? Or
>> shall I commit it from 5.6? then cherry pick?
>
> Is that a security issue? If so, please explain how. If not, it should
> be 5.6+.

Accepting empty cookie is security issue because multiple users
get the same session ID on occasion. Previous fix that disallows
empty cookie/raising error works partially, but it was inappropriate
fix. PHP shouldn't raise error for empty cookie, but should try to
set new session ID.

Although setting new session ID maintains uniqueness of session ID,
sessions may lost randomly. The method described in the RFC
is required to resolve this issue completely. Otherwise, web site users
may experience random lost session. It's very rare though.

I found simple way to observe lost sessions. Please refer to
https://bugs.php.net/bug.php?id=69127
It appears that even single threaded CLI server can cause race.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net