Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90956 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 88078 invoked from network); 27 Jan 2016 01:26:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2016 01:26:04 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.52 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.52 mail-pa0-f52.google.com Received: from [209.85.220.52] ([209.85.220.52:34983] helo=mail-pa0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C7/25-56702-AAC18A65 for ; Tue, 26 Jan 2016 20:26:03 -0500 Received: by mail-pa0-f52.google.com with SMTP id ho8so106566758pac.2 for ; Tue, 26 Jan 2016 17:26:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=dSAAFWNVA6vmWQ/ooGQ/YwIJWM8385HN7tuHtoRFN7w=; b=jUJVU+GHe8OCOvmejmfneRtOUABai3KzVviPxAAXbhWtq/9uDP+HfBDLYiIaK5nr+9 NQBP/UTmq/jFa2XGOEMAWiixEPj9eggwkkjZVuuqVlpO9jrjeWicVYUazBn5xZ4Uy+/G D0P6AB83MMDHa+mVDbjOp6reyuNTNtIcY0lhsMaYeABZq19EohDtsIu/uGUK10Ch5QK+ /RwsdmS1vZxWkJ4+00q9gVKCs0Xh0NAsZF8aZ8KttYCL5zuwpiOz33z+Kf/MAaILpqFC /uOPIOUGm4eE1Z4t3JIGN6VbqqVpsLVbw2DFFcJ19RHWQCWHX3QidjK+hJ0j5KwMYPjW GoFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=dSAAFWNVA6vmWQ/ooGQ/YwIJWM8385HN7tuHtoRFN7w=; b=M5zXs7tS2lljp/Y8QgDossLWQjYledSfJjVv5AFOMxjcY3CPImhc0qTdMfYnimZ0GO izQTPbGvLf+fkAyH0crG7xavpUpWp/qsz55ASFBUEX6sOT+kznT1Rl61s5x+tX479NrA d52Nq1kHaKoHWSoQe7qlQtQOhprZb6ByXaqtsA7F+i4XLbCpj+hzRbh4u0cXDzdVucJF RPqr1pnLB1okIRpuelrLzUefnuen3b/dv86gfi/Yij5unLwdn+8I9IrMTjWR15RE/owK jF+doFs2IT0AHR3hNboJKyc7qvH8KToYtmLmtF/oLree8HuJOcsy3DvWTmKGY1zpP2HH Sqxg== X-Gm-Message-State: AG10YOTNdr+NciGz5VmJCebFSC/GnylnsPNaLAVdWMz+T3kzPaPjVzCiLUmZuyxmBGpApg== X-Received: by 10.66.141.229 with SMTP id rr5mr7066930pab.123.1453857959689; Tue, 26 Jan 2016 17:25:59 -0800 (PST) Received: from Stas-Air.local (76-220-46-95.lightspeed.sntcca.sbcglobal.net. [76.220.46.95]) by smtp.gmail.com with ESMTPSA id r5sm4507774pap.7.2016.01.26.17.25.58 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 26 Jan 2016 17:25:59 -0800 (PST) To: Yasuo Ohgaki References: <56A727C3.9070505@gmail.com> <56A80626.6080008@gmail.com> Cc: "internals@lists.php.net" X-Enigmail-Draft-Status: N1110 Message-ID: <56A81CA5.2050106@gmail.com> Date: Tue, 26 Jan 2016 17:25:57 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Other than HTTPS, setting unremovable cookies is easy with JavaScript > vulnerability. Currently, we only has session.use_strict_mode=1. This > is not good enough because attacker can generate valid session ID by That sound unlikely, given how much space needs to be searched. By the same vein, you could say one could defeat encryption by just guessing the key. Which, if you are unbelievably lucky, can be true, but nobody is that lucky. I don't see how guessing session ID is easier than guessing encryption key. > themselves, and set it to victims cookie. Without session ID > regeneration with precise expiration, attacker may keep logged in > session forever. That's not true, as many application provide session expiration in userspace. > Described how easy to steal session permanently above. It was claimed, but not described how that could actually happen. > Without this proposal, user/web site owner will never know possible > security breach. With this proposal, user/web site owner can detect it > by raised errors for access to expired sessions. I'm not sure what would be the use of it. Suppose you detected somebody is trying to use old sessions to breach your security. Then what? I am also not sure which proposal you refer to that helps with access to expired sessions - aren't they just deleted? If so, you can't distinguish access to expired session from access to one that never existed. > Other than restricting chars for session_id(), this proposal will not > break application. Other possible minor BC happens when apps rely on > constant session ID. Relying on constant session ID is _bad_ practice, > but the patch allows to disable automatic session ID regeneration for > better compatibility. Tests for session behavior may be affected, but > it will not affect production code. Still do not see how restricting chars is beneficial (handlers already restrict what is unacceptable for them). Also, as I said, as a particular implementation detail, I don't think specific session regeneration pattern belongs in core - not all applications would want it, and not all in the same way. Some applications would rather prefer to drop the session and force the user to re-login, for example. > Other than these, user should not have problems in their production > codes. If any, please let me know. Changing defaults and functionality always brings possibility for breakage, and the fact that so many tests needed to be changed also suggests that the applications that would use the same code unmodified would be broken. -- Stas Malyshev smalyshev@gmail.com