Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91640
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34562 invoked from network); 12 Mar 2016 00:25:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2016 00:25:14 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.53 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.53 mail-vk0-f53.google.com  
Received: from [209.85.213.53] ([209.85.213.53:36675] helo=mail-vk0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 88/D2-14237-6E163E65 for <internals@lists.php.net>; Fri, 11 Mar 2016 19:25:11 -0500
Received: by mail-vk0-f53.google.com with SMTP id c3so153301689vkb.3
        for <internals@lists.php.net>; Fri, 11 Mar 2016 16:25:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=Lc011nmB313PTBdJnZEITznuiJJccSX04YdXdfNrEf8=;
        b=FcQ3MLZr4qleHetfNDmNG5lsCwD9JsollC9O7vNzbgIBSAFjkRwze2MZm/9qbtIwae
         NhcVZVfeARnDqc3kyBaSNbqGdUSLaCOhMfy7vP3nlmnZRBY7al7tqyEtX1p5yimUkfx6
         XB0VvcXMDt9ONBAqCSP1B8Z4MhWORksEzJmYQ5Wsf31z5OHx1PIM2GJHG1o4CDBgHk55
         KZbAqKIDgqSeVwx20GNMA8LYlRptHu3iJl3tYrg6lI8YRCAo4K2JiiWTy170HYErwtEV
         oF9zXdOkcGg7CCaeNT6DyH62cE46gc17lwQvp/Yqa9TyZM2VkUGl4nDzIN00s9avKJVd
         HiTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=Lc011nmB313PTBdJnZEITznuiJJccSX04YdXdfNrEf8=;
        b=F0+CFX6oAQCXdX8jnL/4np2M3ID15eU4xa97mVE7nHb+aW1qB08d4ZWpq6q0A0Pc5v
         xrDmwRwT8wCbm5L5Fp4mfsmwcYTezurYD5+lrsJba4/p7zoNORpmlelFZI+rYbbxVsnV
         FgfxssJtX2GhV1sITUpYLDlTteI2xJVTdS4r0jp4ZHA3FgKDHShseikpBqbjiZ/97zDq
         gxiZ+X54OhAM//J6wl1A3+fYeVTfphUMdFTV4bLc9pPL00FcaMM2+4ItRq6XviJbEkGZ
         5UJaCiwKErpZeQwTRTSDbqWLjp0CIABNpabzqK1qyDGLfg2NXdOz3weKfcdl9y6X091R
         Dt3A==
X-Gm-Message-State: AD7BkJKOMddQeBwDGCcIbryQK37YNASbYvdp1t8yjrvo3hewYIjgxqglZ7Uxe6gdQypdyNoTxzVSSgBzUpNREQ==
X-Received: by 10.31.168.135 with SMTP id r129mr13130227vke.7.1457742307269;
 Fri, 11 Mar 2016 16:25:07 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.159.35.77 with HTTP; Fri, 11 Mar 2016 16:24:27 -0800 (PST)
In-Reply-To: <CAFMT4NoHEJNu5HX_ciWvivPMEtTgX681DK544vwQMVMKNNUWaA@mail.gmail.com>
References: <CAGa2bXZqCd4g5BwzRxWsVw351G_o1+AkhGq3cdyKhUW39rm4Tg@mail.gmail.com>
 <CAFMT4NoHEJNu5HX_ciWvivPMEtTgX681DK544vwQMVMKNNUWaA@mail.gmail.com>
Date: Sat, 12 Mar 2016 09:24:27 +0900
X-Google-Sender-Auth: _TIeBV6eFjZBfckKKrkqeGX42kg
Message-ID: <CAGa2bXbKdw0rHyU5gPq0rhosBs+KJkzM=QYn8fyHPRB-O3+o=A@mail.gmail.com>
To: Levi Morrison <levim@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Precise session management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Levi,

On Sat, Mar 12, 2016 at 1:50 AM, Levi Morrison <levim@php.net> wrote:
> On Wed, Mar 9, 2016 at 2:14 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>> The RFC is
>> https://wiki.php.net/rfc/precise_session_management
>> The PR is
>> https://github.com/php/php-src/pull/1734
>>
>> I suppose almost all questions and discussion is finished, but
>> if you have any, please comment/ask.
>
> After talking to a few people I still don't understand this RFC. That
> makes me nervous. I think partly this is due to the many issues trying
> to be solved inside this one RFC. To be frank, a large part of it also
> comes from the fact that the phrasing is difficult to understand.
>
> In summary, I can't feel good about voting yes on this RFC because I
> don't understand it. I've honestly tried, but I don't really get it,
> nor have several other people I have talked to. Additionally there
> appear to be BC breaks though I can't really judge their impact. Given
> that this is a minor release I don't think it's a good idea to break
> BC.
>
> I will wait for someone to respond to this email before voting, but
> unless I am convinced by further discussion I will be voting no.

Thank you for feedback.

The main points of this RFC are
 - Avoid race conditions result in session loss.
 - Make session abuse a lot harder. i.e. More secure than now.

To achieve those 2 objectives, timestamp management is introduced because
 - There is no reliable way to synchronize web server and client
state. i.e. Cookie as well as session ID by transid.
 - There is no reliable way to remove obsolete session by default.
i.e. Probability based GC is not good enough and allows attackers to
steal PHP session forever.

Because there is no way to synchronize server/client and probability
based GC is hardly acceptable, eventually consistent approach is used.

Eventually consistent approach is the same as it is now, but new
session manager does it much precise/stricter way by using timestamps.

Will this explanation help to understand it?

IMHO, this is mandatory change for session module to be more reliable
and secure than now. I hope I explained well reason behind the change.
Normal users don't know risks that this RFC is trying to
resolve/mitigate. Therefore, we are better to release it asap.

BC issue is not severe. Users' test scripts may find behavior changes,
but it does not affect session functionality in apps at all. (It
should not at least, if it does, it's bug)

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net