Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90951
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78543 invoked from network); 27 Jan 2016 00:22:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jan 2016 00:22:43 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.177 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.177 mail-yk0-f177.google.com  
Received: from [209.85.160.177] ([209.85.160.177:35187] helo=mail-yk0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/63-56702-1DD08A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 19:22:42 -0500
Received: by mail-yk0-f177.google.com with SMTP id u68so93348751ykd.2
        for <internals@lists.php.net>; Tue, 26 Jan 2016 16:22:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=BgiOHAJYp9Pwy1tW5OqTTPw5XZ7DDEdWDsi8nshaNlQ=;
        b=FO5YZsz85eJO+vD4njWqW16IdSC3oSGkz0nk7XMd+CUr6z6wLQGvflzk0hwIPgMPoH
         GTs4483mnKZIn00AwRzuI0WI25W4oSTkXCQkPQjAEQOOYgXDMnG7z/UTWXiDKyypKR4H
         bV3+h/6sVoXrHXr7eN9/yuvNUjB9iDAjpaClXa1bZh6JPL8APfvQb8+7pWHfU9lwdHG3
         5ZZFimp8GRL8SC0qaHgN0fGGxfHHLmJC9im6B9yYJG7U8cLkaqCzvV513n5JFyQd9DLU
         Rwk04o0T7SfJhrf5iYWlDhbjdlWq85Qj5oAKq+MRiPF3wQO5ExwgO9Eb4Vf9OTi+8fn1
         55Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=BgiOHAJYp9Pwy1tW5OqTTPw5XZ7DDEdWDsi8nshaNlQ=;
        b=crS81FUFNSScb/7IPeU3jW8J5o4j+5Wc2hFmA1RqYTGYF4wpkNr/1ynSGwDvP6COm2
         GJ5TjMT61urxuC6DBvXVMASF3A6NXVV8i1cfmxGKC5RSUeHlF+hXU6GuaNh9wLoGZ053
         la8As7gVrgIJQ2Kv0sVzt+MfQlaOphZm7APUkJGxqShklwcBu53lkNpFzGm1z18hyL8q
         SVmotw/UH2UKmzrmGKC3h3RcIwtlE665uUtBdismk5Z3jet7sOmBDwiC+jjMo+kF+drQ
         iuLuzJQSPE9Ln2zSklhWOgM1qjtdErVZWXp9M8ufFJcjMaDm/OV7ON12942BAZGdszA5
         naCQ==
X-Gm-Message-State: AG10YOSBvR0daia9YGd8cq3EdNjV16cyApKOr4YnmhI7BU3Ydm2vuc0jSQfgXmxz9NNcacaaFpnLEwyNX7zxsQ==
X-Received: by 10.37.42.202 with SMTP id q193mr6564642ybq.10.1453854158555;
 Tue, 26 Jan 2016 16:22:38 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Tue, 26 Jan 2016 16:21:58 -0800 (PST)
In-Reply-To: <56A80626.6080008@gmail.com>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
 <CAGa2bXYZXkCJwFKVwaNfV+OEw0FzeFFbtxLm0zRmFVE_b4xsMw@mail.gmail.com>
 <CAGa2bXbRJMZFcXfZc9o7YnAhkDRfYKPjO+10k-eKXdoGNTREbg@mail.gmail.com>
 <CAGa2bXYGpV=P-680ig1LOkYWsSRS-Ya2rYVa3wo3vrxdT=zwiw@mail.gmail.com>
 <56A727C3.9070505@gmail.com> <CAGa2bXYj6iCvKqcpf_p6Dm_TNOxtVozry=AONKWu9-VKzb_FHw@mail.gmail.com>
 <CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com> <56A80626.6080008@gmail.com>
Date: Wed, 27 Jan 2016 09:21:58 +0900
X-Google-Sender-Auth: X1IinQ1zLLvoJOARo6tvJy8jAvU
Message-ID: <CAGa2bXYWO+0U0urbbUi-nJjKnACYXdRDsg0Jn6AcYus1VsrExQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Jan 27, 2016 at 8:49 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>
>> I have
>> https://wiki.php.net/rfc/dbc2
>
> This doesn't seem to do anything with security. It's just a way of doing
> asserts, which we already have.

It's a framework for secure programming.
Using it is up to users, but DbC is proven method for writing
sold(secure) code while maintaining the code execution performance in
production. Assert is a weak tool for it.

>
>> https://wiki.php.net/rfc/secure_serialization
>
> This may be a viable extension of somebody really is going to use it. I
> would suggest making a PECL extension.

MHAC is also a proven method for message validation. Unvalidated
inputs for serialize are source of vulnerabilities for a long time. I
think it worth to provide it for all users. I see work in progress
phpt for serialize vulnerability, why not provide secure way out of
the box?

>
>> https://wiki.php.net/rfc/introduce-type-affinity
>
> This also has nothing to do with security, and also looks unfinished,
> not clear what is sought and what is the benefit.

It related to secure programming. Validating inputs and use of proper
types is basic thing in secure programming. Type affinity helps this.

>
>> https://wiki.php.net/rfc/script_only_include
>
> This one we already discussed at length, and the vote result is clear.

It may be. However, easiness of code inclusion in PHP is one of the
weakest point that is unique to PHP. I'm not sure how it goes, but I
shall try.

>
>> Three RFCs for session is just too much for me already...
>
> Maybe we should concentrate on doing one specific thing, bring it to
> conclusion and then get to the next one?

I would like not to start discussions for these RFCs now. Fine for me.

>
>> Anyway, we may be better to talk about how it should be.
>> For this thread, how session management should be.
>> It's just not good enough currently. Besides exploiting
>> PHP session is too easy, random lost sessions is not
>
> I am sorry, but I still see no base to this claim. You seem to be under
> impression that stealing cookies from HTTPS connection is trivial, but I
> do not see how it is. Moreover, since virtually all secure communication
> over the web relies on this, if it were trivial, no secure communication
> would be possible, and I don't see this happening.

I'm not saying stealing session cookie from HTTPS is trivial. It could
be trivial with certain environment, though.

Other than HTTPS, setting unremovable cookies is easy with JavaScript
vulnerability. Currently, we only has session.use_strict_mode=1. This
is not good enough because attacker can generate valid session ID by
themselves, and set it to victims cookie. Without session ID
regeneration with precise expiration, attacker may keep logged in
session forever.

> If, however, HTTPS/cookies are secure, then I don't see how exploiting
> PHP session in current state is easy. There may be some browser bugs
> that make some scenarios not work sometimes, but so far I don't see any
> problem that were bigger than light annoyance.

Described how easy to steal session permanently above.
Without this proposal, user/web site owner will never know possible
security breach. With this proposal, user/web site owner can detect it
by raised errors for access to expired sessions.

>
>> acceptable. Weak defaults are not acceptable also. Let's
>
> There are a lot of different use cases for PHP and session, and the same
> requirements do not apply to all of them. So in my opinion, the defaults
> should cover the most common cases, and avoid breaking applications as
> much as possible.

Other than restricting chars for session_id(), this proposal will not
break application. Other possible minor BC happens when apps rely on
constant session ID. Relying on constant session ID is _bad_ practice,
but the patch allows to disable automatic session ID regeneration for
better compatibility. Tests for session behavior may be affected, but
it will not affect production code.

Other than these, user should not have problems in their production
codes. If any, please let me know.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net