Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90947
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71685 invoked from network); 26 Jan 2016 23:50:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2016 23:50:05 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.181 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.181 mail-pf0-f181.google.com  
Received: from [209.85.192.181] ([209.85.192.181:36404] helo=mail-pf0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8F/F1-56702-C2608A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 18:50:04 -0500
Received: by mail-pf0-f181.google.com with SMTP id n128so106799356pfn.3
        for <internals@lists.php.net>; Tue, 26 Jan 2016 15:50:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-type:content-transfer-encoding;
        bh=ZtGASpby20A4MkdJuthvZwbn5K1hYD9CD85b477WbnU=;
        b=BSGOqgijne2yBbmZ/UshxXRB7l1I5NpPF97HJOk593ECBw8s3QnUfNk2DXxIfx9dfN
         c6VOafJs0dNJydqctmFBoqPLE8X98JtMRrPkssVgEPWm6NNQDnbTkiX2uN1xQSTSO70Z
         Qw1+/lpHBC+gZZAqRueg9mHmQG6ANHeq/OSfHlRwM3YoG1FMKf+bD93o8MJ7IZUOPGRT
         CaE/xVMmXf7rVjnzfFMlMg+cG7DZsz3pCHSAL9/sBiQad5EmRhx2C/xJIuWnL3u0nI2t
         2B6hvIGzUFlx75/LVVEAWoGBq90qB7UjY7U7h6euCOdnCAWJaTHUtYfh8t4y/R+yXkhA
         U32w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-type
         :content-transfer-encoding;
        bh=ZtGASpby20A4MkdJuthvZwbn5K1hYD9CD85b477WbnU=;
        b=Rst5wcu2keJss4wtjxRy9sHGiweJauM/AenEGdmFKc9p1z4nZ6lMTZ94shGfzwU0i2
         ntq+UI8u47Lvw9Of3GSDA6AjZuF+fDxmONDH/ryAAxZ1G9WdGe6XIDlQHW0MPJTyL68P
         QFWPSCOg18V/FaYePZ/Omf2o02d8kHOhQCK7dA4ADHYbeQnJIUtGRhlGS7NPealmoBcM
         MyNa76iLG7IOtrACY0Gls0Aut+kkBAMjrEn5WLitu1t4khLUZvWPcdOSBNnEOVYh/ahV
         KQtFBlyPOAjyqnsOabC4B7v43lEE1hLZg1Zb7awZF0pC53/juzkVLQjO8harOw4der+J
         ZrzA==
X-Gm-Message-State: AG10YOT+mRXzycjXy2brS0mJfeEh/gUKzYF0RsIeaUAyw+Qybw5Fahr103oC4OCS4oefyA==
X-Received: by 10.98.64.215 with SMTP id f84mr37918647pfd.113.1453852201256;
        Tue, 26 Jan 2016 15:50:01 -0800 (PST)
Received: from Stas-Air.local ([2602:304:cdc2:e5f0:c8d3:ee4:eeec:eefc])
        by smtp.gmail.com with ESMTPSA id cq4sm4212716pad.28.2016.01.26.15.50.00
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 26 Jan 2016 15:50:00 -0800 (PST)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
 <CAGa2bXYZXkCJwFKVwaNfV+OEw0FzeFFbtxLm0zRmFVE_b4xsMw@mail.gmail.com>
 <CAGa2bXbRJMZFcXfZc9o7YnAhkDRfYKPjO+10k-eKXdoGNTREbg@mail.gmail.com>
 <CAGa2bXYGpV=P-680ig1LOkYWsSRS-Ya2rYVa3wo3vrxdT=zwiw@mail.gmail.com>
 <56A727C3.9070505@gmail.com>
 <CAGa2bXYj6iCvKqcpf_p6Dm_TNOxtVozry=AONKWu9-VKzb_FHw@mail.gmail.com>
 <CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
X-Enigmail-Draft-Status: N1110
Message-ID: <56A80626.6080008@gmail.com>
Date: Tue, 26 Jan 2016 15:49:58 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I have
> https://wiki.php.net/rfc/dbc2

This doesn't seem to do anything with security. It's just a way of doing
asserts, which we already have.

> https://wiki.php.net/rfc/secure_serialization

This may be a viable extension of somebody really is going to use it. I
would suggest making a PECL extension.

> https://wiki.php.net/rfc/introduce-type-affinity

This also has nothing to do with security, and also looks unfinished,
not clear what is sought and what is the benefit.

> https://wiki.php.net/rfc/script_only_include

This one we already discussed at length, and the vote result is clear.

> Three RFCs for session is just too much for me already...

Maybe we should concentrate on doing one specific thing, bring it to
conclusion and then get to the next one?

> Anyway, we may be better to talk about how it should be.
> For this thread, how session management should be.
> It's just not good enough currently. Besides exploiting
> PHP session is too easy, random lost sessions is not

I am sorry, but I still see no base to this claim. You seem to be under
impression that stealing cookies from HTTPS connection is trivial, but I
do not see how it is. Moreover, since virtually all secure communication
over the web relies on this, if it were trivial, no secure communication
would be possible, and I don't see this happening.
If, however, HTTPS/cookies are secure, then I don't see how exploiting
PHP session in current state is easy. There may be some browser bugs
that make some scenarios not work sometimes, but so far I don't see any
problem that were bigger than light annoyance.

> acceptable. Weak defaults are not acceptable also. Let's

There are a lot of different use cases for PHP and session, and the same
requirements do not apply to all of them. So in my opinion, the defaults
should cover the most common cases, and avoid breaking applications as
much as possible.
-- 
Stas Malyshev
smalyshev@gmail.com