Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91890
Return-Path: <t.carnage@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96992 invoked from network); 24 Mar 2016 13:55:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Mar 2016 13:55:37 -0000
Authentication-Results: pb1.pair.com smtp.mail=t.carnage@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=t.carnage@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: t.carnage@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-lf0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:35725] helo=mail-lf0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9C/37-36618-5D1F3F65 for <internals@lists.php.net>; Thu, 24 Mar 2016 08:55:35 -0500
Received: by mail-lf0-f42.google.com with SMTP id q73so32504793lfe.2
        for <internals@lists.php.net>; Thu, 24 Mar 2016 06:55:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=9X5I1njjttNamOGKQRzQf7Ptf5PNI/FM1p7tnx+Exe4=;
        b=pfobSyuFXAWzHacHTe4AvdbbBnZ3W6w6GLCOUj9hT0UQHy3zJVPAguVg259o3aH6sI
         4jsIoWOBZu0xzapNAgCJaBjmYroLmFn9TgNW4uz3j3XDint9tZEsIj6tluxY1oqdmEOH
         dOXte6tCnNHV3xdv9si/lRrOeGvyymx1tA7tjw+hebOJ+jV3NYzfSzB2i6y+vHfwE5fD
         Hv2Nxg+lnC2pLHqZHxpacedSWLvJkyt8SfeiQ8ld19wKMWy/POV69PCNBUcTxxwC1lGR
         +mdHzD/vAPBkHtX5igYXqB/DbJJ9azCUPWEXvUge5i5s52Cky/b/rTEZDdgFS0P0PbtO
         8jSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=9X5I1njjttNamOGKQRzQf7Ptf5PNI/FM1p7tnx+Exe4=;
        b=AYOg+tAibFGpS7sPvBEhVGWW6hZjhE6Rg/glopnnZ3i0lQa5tH+wW73fVfGJLwxEQr
         fbBhpkYNCNGu+7YSAaZ3msYaMdJpFFL4WLWmKDLjqizOqYqMDr7+Lmpq2rmXcE9tOCLt
         TicjcZ0AHwcuqfCKAObalN06HP4AQpGe7foxoschhS3CB85Sl5WfsP60O778q1O9FIjF
         VF5f72EEj4pngud2QK9MIeXFMpwoBM0cyuq7Gzkf3839V5v5HGV9x1fk1zgnsKaNANy5
         9iblt9GRT3ltigR01mga/52muGBRSrmb7096PZBpXDpXTmGKBe1PADAauINldpeCkvsa
         RRxg==
X-Gm-Message-State: AD7BkJLLnbbAaE9G8vGEe7HXAwk7HxnqQSIiBeh6hM/eVFmQh48+90bfohADslAEmRjGvs6cRfHMxbk7NrFi+A==
MIME-Version: 1.0
X-Received: by 10.25.35.88 with SMTP id j85mr3479441lfj.148.1458827731217;
 Thu, 24 Mar 2016 06:55:31 -0700 (PDT)
Received: by 10.112.0.200 with HTTP; Thu, 24 Mar 2016 06:55:31 -0700 (PDT)
In-Reply-To: <CAGa2bXauwspEZ4HYSHgVOyd+VEvKxoymWYFPG6NaOdCa+APfKQ@mail.gmail.com>
References: <CAGa2bXauwspEZ4HYSHgVOyd+VEvKxoymWYFPG6NaOdCa+APfKQ@mail.gmail.com>
Date: Thu, 24 Mar 2016 13:55:31 +0000
Message-ID: <CABHuAWzwxRQxohRca8MvChs4ZdHNk-xc9P5HW93dzkq1TRztoQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113c80d4b5337f052ecbcc1f
Subject: Re: [PHP-DEV] [RFC][Discussion] Precise session data management
From: t.carnage@gmail.com (Chris Riley)

--001a113c80d4b5337f052ecbcc1f
Content-Type: text/plain; charset=UTF-8

On 24 March 2016 at 02:34, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> Since the vote for
> https://wiki.php.net/rfc/precise_session_management
> is declined 15 vs 11.
> https://wiki.php.net/rfc/precise_session_management#vote
>
> We have to come up with other solutions for
>
>  - Session loss by race conditions
>  - Method to make session abuse harder
>
> I'm open to implement better solution than proposed RFC.
>
> These issues are serious issues that cannot be ignored.
> Looking forward alternative implementation ideas!
>
> Thank you.
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I'm disappointed this RFC failed as improving session security should be a
high priority. I'd propose that we focus on items which will improve
session security overall. This jumped out at me to start with: "This RFC also
includes minor security improvements like httponly cookie, better hash
function."

Perhaps a first RFC for improving session security can start with those
items: Set the session cookie to be httponly (or provide an ini setting to
do so, defaulting to on) instead of using a better hash function for the
session id, why not generate it from random_bytes()? Then the id is crypto
secure.

I'd then consider a second RFC setting out the extra internal data that
would be required to kill off old sessions correctly. That would require to
keys under ['__PHP__SESSION__'] (could the key name be an ini setting to
preserve BC?) 'destroyed' and 'expires', the latter would be a bool flag
stating if the session had been explicitly destroyed. (A destroyed session
could no longer be used, could throw an exception or just have no data in
it) the expires key would be used in a similar manner, being set to
Time+cookie expiry time on each read/write to the session. (again an
expired session would not be accessible and would function like a destroyed
one)

The combination of the two would resolve most of the security issues and
establish the __PHP__SESSION__ key which could later be used to handle the
race condition issue.

--001a113c80d4b5337f052ecbcc1f--