Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91891 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 776 invoked from network); 24 Mar 2016 14:43:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Mar 2016 14:43:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:33887] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/A7-36618-30DF3F65 for ; Thu, 24 Mar 2016 09:43:15 -0500 Received: by mail-ob0-f170.google.com with SMTP id kf9so33454219obc.1 for ; Thu, 24 Mar 2016 07:43:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=MACUHy9g0fODe97psQCZTjzickWAjMwh9u27SCNdr2g=; b=0zhn17tN0BtybbTywtuatM5gzcHh/iK6QAWScI0QvdmfN9nygEFiXYrugSBE5127Dy soCje+xCk6CTSKJMC8UNrw7WLgT6aY2r3ygyIFNyYob0qpEgmr6Kirjd9lMjZAtfy85N yK6hsVitFgxMI/JJ+JreIPz+rRhKiR88fV+pTDIiKqxak88kdeJ6JvcwDEpD1TMCUsxe 49hC7UaMPT5y0oVqDhJvv5itFXzgNxx3dc48GcgUh2YzbrBviMOSn/2ETUnNT+Irp/0l 85Myrg6Nx/lQ91Z2Bjz7AkbO9YDSNJGJMCqWmgLv2CPzDT6wvLoZmxmGqyslkvd+k5cL VHSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=MACUHy9g0fODe97psQCZTjzickWAjMwh9u27SCNdr2g=; b=l9HcWq/0iy1WOKm3asjvtIfwXYu9nSFOHqzWvaMxtGrCSPDzM7z3gATwN7eGxSf+JJ cu8ZmjNIOPkNLZJ4foT5yy+ggRZyCx6N7RZy3ecdOkQzKMPHKNPZi0NOLhuwpLrMEMOc i+PIdNU51WBANEbGPNAGdXN4PAj7kS9gAGr9XZ+8IOmOjqjk/vNEfsV4UezSv33VXvpj brZ7RZs0SNvUfEQlHfX4k9OIch4L2VXb0+2kCFo/FKo8p4lIXmZ22YXYkyiyhl2Npd/U w+2N7+UaF0dLE/2MsiereATHqNKPcbFMzd/Z1E2EVQ1Uq9d98v5kMgsBu17j+BV/Fwbo LuWQ== X-Gm-Message-State: AD7BkJI57cRs27tUS21N5eFww3LOiKn6hCZJQ3GdkqUKazlFh/xrJpbNtzSZZ8ObYENPy09oenI+IW+2hiW7zA== MIME-Version: 1.0 X-Received: by 10.60.69.198 with SMTP id g6mr4455301oeu.44.1458830592720; Thu, 24 Mar 2016 07:43:12 -0700 (PDT) Received: by 10.157.14.47 with HTTP; Thu, 24 Mar 2016 07:43:12 -0700 (PDT) In-Reply-To: References: Date: Thu, 24 Mar 2016 10:43:12 -0400 Message-ID: To: Chris Riley Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1133423e44673b052ecc773c Subject: Re: [PHP-DEV] [RFC][Discussion] Precise session data management From: scott@paragonie.com (Scott Arciszewski) --001a1133423e44673b052ecc773c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Mar 24, 2016 at 9:55 AM, Chris Riley wrote: > On 24 March 2016 at 02:34, Yasuo Ohgaki wrote: > > > Hi all, > > > > Since the vote for > > https://wiki.php.net/rfc/precise_session_management > > is declined 15 vs 11. > > https://wiki.php.net/rfc/precise_session_management#vote > > > > We have to come up with other solutions for > > > > - Session loss by race conditions > > - Method to make session abuse harder > > > > I'm open to implement better solution than proposed RFC. > > > > These issues are serious issues that cannot be ignored. > > Looking forward alternative implementation ideas! > > > > Thank you. > > > > -- > > Yasuo Ohgaki > > yohgaki@ohgaki.net > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > I'm disappointed this RFC failed as improving session security should be = a > high priority. I'd propose that we focus on items which will improve > session security overall. This jumped out at me to start with: "This RFC > also > includes minor security improvements like httponly cookie, better hash > function." > > Perhaps a first RFC for improving session security can start with those > items: Set the session cookie to be httponly (or provide an ini setting t= o > do so, defaulting to on) instead of using a better hash function for the > session id, why not generate it from random_bytes()? Then the id is crypt= o > secure. > > I'd then consider a second RFC setting out the extra internal data that > would be required to kill off old sessions correctly. That would require = to > keys under ['__PHP__SESSION__'] (could the key name be an ini setting to > preserve BC?) 'destroyed' and 'expires', the latter would be a bool flag > stating if the session had been explicitly destroyed. (A destroyed sessio= n > could no longer be used, could throw an exception or just have no data in > it) the expires key would be used in a similar manner, being set to > Time+cookie expiry time on each read/write to the session. (again an > expired session would not be accessible and would function like a destroy= ed > one) > > The combination of the two would resolve most of the security issues and > establish the __PHP__SESSION__ key which could later be used to handle th= e > race condition issue. > Could we also add HTTPS detection and enable the secure flag by default when a session is established on an HTTPS endpoint? Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises =E2=80=8B --001a1133423e44673b052ecc773c--