Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91987
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82404 invoked from network); 29 Mar 2016 11:50:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Mar 2016 11:50:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.44 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.44 mail-vk0-f44.google.com  
Received: from [209.85.213.44] ([209.85.213.44:34647] helo=mail-vk0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/66-37399-8FB6AF65 for <internals@lists.php.net>; Tue, 29 Mar 2016 06:50:17 -0500
Received: by mail-vk0-f44.google.com with SMTP id e185so14724546vkb.1
        for <internals@lists.php.net>; Tue, 29 Mar 2016 04:50:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to;
        bh=sWEQqlUhnb5zPlVZ9tRlyo5N03SUFE5OD8H18RtRcmQ=;
        b=Tt/66kPiAkiAZP4swvFfE58suQjfSDMPLkuNBDZnJeqcPVaczY9bdLlbarm/DszhgS
         F7Ns4Ku2SlnIVSoiZZUXSBnY9MhgcsrrsKpJVH0aJxdPVsWtE9PisuZiymQcsBQk9WPg
         QSZ7iCZOUHFw/1u76oGVJPzmYyZ28qKCKRBWLRSu9dnuYsZsQEkcZ8DPRI/0qcHBeNXC
         znveXOk88mNdUJvJAuE28OHfeKcLfUno6SM7/1p1tWQAEZjMVIXJ9PyuyeSSTY3j7zhu
         4jsbbYFLqIviMjqoAUHGi0CfBrJ5xkEP3tqoVZBG8lNVJg/E6ixkhubdfKP3eC0f/GPk
         b4/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
         :to;
        bh=sWEQqlUhnb5zPlVZ9tRlyo5N03SUFE5OD8H18RtRcmQ=;
        b=E8znPcZolTdKCEP12pEfuk0IfUP4WUcRc0hlkzyIhw+pgFDS4pxK5JxpUO2bboJXOz
         YKw/buydlsbcSMLfihaKy2NcnJJQL9306x5Rs97oLawH7ov2ZlQiHQuLeiG14yY2BIec
         av0sZfPaHAHU5Yr/4ttbYApMvi5XKWrHNIM/AGcDx5hnkJp57rRvl4oEE8J88hzb4kSL
         LCHMsQHKEu/OYPwYnxWI3PMs1q14YifHxWNDplVf0EldBbomHRMZ7LUhTRfx26QFFzDg
         hBuIl+suy6Zqc+kDWSCltPx70o7klRlp7DUDH+eH6Z7LPHZ6ArtDX3LuiwrmaepMNKSP
         96QA==
X-Gm-Message-State: AD7BkJKwZQxOZdqu0Oo0GfTZe2CuOrNOIWxSs5ZpKYB/pj1sBcHQFk52OUFkwBkqNK4CMDqSJVtd4gYM8lo0xA==
X-Received: by 10.31.34.2 with SMTP id i2mr880537vki.7.1459252213946; Tue, 29
 Mar 2016 04:50:13 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.159.40.7 with HTTP; Tue, 29 Mar 2016 04:49:34 -0700 (PDT)
Date: Tue, 29 Mar 2016 20:49:34 +0900
X-Google-Sender-Auth: dcDWqYdnSq9qyf1FLO4jrd5PeFQ
Message-ID: <CAGa2bXYrUyWdSuS_9CikGyoZ-K3viS+UhVkL6xEHVkO02EbLoA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Brief history of security related changes in session module and time
 stamp based session management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

Security related changes in session module tends to take looong time
even if issue is serious security threat.

An example is adoptive session manager issue. Accepting user specified
(i.e. not generated by session manger) session ID allows attacker to
hijack session permanently, very easily.

Session manager _must_ reject session ID that is _not_ generated by
session manager. This was proposed PHP 4 era, around 2004 IIRC. It's
implemented for PHP 5.4 and up as 'session.use_strict_mode'. It took
about 9 years for this change.

This change was proposed by Stefan Esser originally. It was obvious to
me that the change is mandatory. I thought the change was merged
immediately after the proposal, but it wasn't. I realized it a few
years later and tried to apply the change. It took another years until
merge.

The reason why it took so long is that not many of us did not realize
consequence/threat of the old session module behavior that adoptive
session manager allows permanent session hijack easily.
("session.use_strict_mode" is not enabled by default even in PHP 7.0,
BTW. Thus, it is a serious threat still.)

I also realized time stamp based session management is mandatory years
ago. Without time stamp based management, session is too easy to
exploit. However, many of us did not realize that time stamp based
session management is mandatory, again.

https://wiki.php.net/rfc/precise_session_management
(This one is second RFC attempt)

Unfortunately, this proposal was rejected. Spending yet another years
for mandatory session management improvement is not good for us. I
would like to implement mandatory security improvements in session
module for next minor release, secure by default in mind.

The only valid discussion against time stamp based session management
would be "Users should implement/change them by themselves". However,
user space implementation is not too simple nor efficient.

Those who vote not in favor of the RFC, please let me know the reason
why. I may be missing important parts. If this is the case, I'm
willing to improve it. If not, I assume you disliked simple security
enhancement inclusions like INI default changes.

If you think time stamp based session management is not needed, please
explain rationale.

Let's discuss and finish what needs to be done.

Regards,

P.S. I'll write separate RFC for session security improvements like
INI changes and hash function removal, so please keep this thread for
time stamped session management discussion only. Please note that GC
based management and time stamp based management is very different
method.

--
Yasuo Ohgaki
yohgaki@ohgaki.net