Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90588
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69263 invoked from network); 13 Jan 2016 02:48:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2016 02:48:37 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.181 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.181 mail-yk0-f181.google.com  
Received: from [209.85.160.181] ([209.85.160.181:36563] helo=mail-yk0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 76/70-64842-00BB5965 for <internals@lists.php.net>; Tue, 12 Jan 2016 21:48:33 -0500
Received: by mail-yk0-f181.google.com with SMTP id v14so380803350ykd.3
        for <internals@lists.php.net>; Tue, 12 Jan 2016 18:48:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=mQRnOVylM+lXvZbAWgJfH2jKpjjwySu+YERsPxAWf9k=;
        b=wTDnvT5RIjA0vo7kBNzslPVT5yTqEqlUh84hppHMca1A8g5ngE8Kg4kz8NRVYy8NIf
         wTcwf8vYJ7txl0f094iACwVKtGqf35J/0gUhegCXaY9Qoe8IgJkKj2KF8Sc2hRt3STaJ
         fG3sJYy4vOfIpmufn9QTZ+KxJmEDRF4Qgc3EjpJC68yOdgv/lh0/d8jLzSv4d0FsA0Me
         zaTYcpI81UV9P4PyN6avajp+G5DYHDgLt7imPQC3TNMd+ayJ3HBElmQno0utNovwXK3y
         en5nu1lZT7W2AbepwonfBjZR01hzuKr+HkdU2qdQp8rWMP59FBkxJJVOeLAxkM6khXHA
         NoSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=mQRnOVylM+lXvZbAWgJfH2jKpjjwySu+YERsPxAWf9k=;
        b=GEgtvdjxuJFWx4vNTcDjRIx7sA3O7tutn/6fLyuj/gEXaoMGxFj4Sm6Gyz8QCp21kG
         6hMGkZBC0zbQVYhaEh/aCmE617FuJ0zdH8GAIDwcvRudxi4pMxE85P5KkXV8jaqJO4TR
         2w6tJaMRaAPh5o7N552FAGI3LBco8uZeUG98xBOfLRGGSfHZkBbU9xREP7Q2TuD3aqzT
         kGFbcBvPr4S4XAOfYz+BC5fw7xtqPvqOx3pK8zPV1kKWN7+IChFSZa04F/t64h7kdTfd
         fAiG/oXk+HFA9oCV7uo1WWgrc0x/Sq+bpeLm3ay55cgWX2abs2CaYzlLFjkVG/HYf4F9
         mzEg==
X-Gm-Message-State: ALoCoQnrV0W/REeDpRM9yC5o4yRAvg+obJepPAbYaDLD/+4e8BkNy4c4S0yG8UDAvKcXM8HDT5BliZW7hMdY077J7H51SPEAsA==
X-Received: by 10.129.60.12 with SMTP id j12mr109735176ywa.86.1452653310040;
 Tue, 12 Jan 2016 18:48:30 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Tue, 12 Jan 2016 18:47:50 -0800 (PST)
In-Reply-To: <5695A39B.4040701@gmail.com>
References: <CAGa2bXZzvkBDkqLF2U3yPSprQwqBdHbW9QCZ-nzjA1G4CM8QkQ@mail.gmail.com>
 <56958637.5080807@gmail.com> <CAGa2bXaXPdc3rJbcjHz3RC=N6vVOjaorKc9bEOeJR6s-TTs0mg@mail.gmail.com>
 <5695A39B.4040701@gmail.com>
Date: Wed, 13 Jan 2016 11:47:50 +0900
X-Google-Sender-Auth: 1gQuEMPX4JEeUv5YWRIF5NRFM_A
Message-ID: <CAGa2bXbT9AoVOpO10N512EsFuH9sYfTVg2qo2uzbr_dooybt4w@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>, julien pauli <jpauli@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Fixing bug #68063
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Jan 13, 2016 at 10:08 AM, Stanislav Malyshev
<smalyshev@gmail.com> wrote:
>> The root cause is browser's cookie handling.
>> It appears that browsers do not lock cookie while updating cookies.
>> Therefore race condition happens and browsers send empty cookie
>> sometimes. I haven't checked the code, but observed it happens.
>>
>> I observed handful empty cookies a day with web site has millions
>> accesses per day. I circumvented this issue with method described
>> in https://wiki.php.net/rfc/precise_session_management
>> It worked perfectly.
>
> OK, leaving aside open RFCs, I think we should treat empty ID cookie as
> if no cookie were provided at all. Looks like that is what the patch
> does? If true, we should merge it. I can do it later tonight.

Yes. The patch treats empty session ID cookie as no session ID cookie.

>
>> Accepting empty cookie is security issue because multiple users
>> get the same session ID on occasion. Previous fix that disallows
>> empty cookie/raising error works partially, but it was inappropriate
>> fix. PHP shouldn't raise error for empty cookie, but should try to
>> set new session ID.
>
> Since it is a browser bug and not a PHP bug, I'm not sure whether that
> really qualifies... But I guess it woudn't hurt to fix  that.
>
>> I found simple way to observe lost sessions. Please refer to
>> https://bugs.php.net/bug.php?id=69127
>> It appears that even single threaded CLI server can cause race.
>
> That may be some race condition, but that does not demonstrate empty
> session ID as I understand?

You should be able to see $_SESSION[v++] reset by empty session ID cookie.
It's been a while so it may be fixed in chrome/firefox, though.

Browser should read/write cookie values by atomic manner, but RFC does
not require to do it, AFAIK. I suppose we cannot rely on browser implementation.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net