Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93189
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66829 invoked from network); 11 May 2016 04:12:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 04:12:13 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.49 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.218.49 mail-oi0-f49.google.com  
Received: from [209.85.218.49] ([209.85.218.49:35566] helo=mail-oi0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C7/80-64493-B11B2375 for <internals@lists.php.net>; Wed, 11 May 2016 00:12:12 -0400
Received: by mail-oi0-f49.google.com with SMTP id x19so48887515oix.2
        for <internals@lists.php.net>; Tue, 10 May 2016 21:12:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=dix9/3IEuP81bvMnuTt65l2VfNh+9TA4Y1GnnDW9+oc=;
        b=Jyzh/vdIlf9U+7scS2BJbVBBAWOPUDDeMnMgYAhfRxBg958AQzXkgOQ43rNJdLaHUg
         piP8DDLScopUott0qCaOdH+ziEwyQtni77AhEE/2SyqQUysu1dS55XqFsI0gr4PaJIrd
         Frq5Oh/kbCjeQ3FfEPmWbtb6WVZDsZoTZKLkzk54mDREZWy/wQRvUueftTKLxlmpYRh8
         22YJ62raZWTi8+euoXwSxM/UZeTgEBGCfAhvG3EP3e36CGyATIKladY2jXtiywFqjOxS
         ua2u+mptsddIOXV7E6VzN223ucbXDNnHLa0LmoRPJH/uCIj/GGTwhSyq7Fa603CWH6Rc
         vZCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=dix9/3IEuP81bvMnuTt65l2VfNh+9TA4Y1GnnDW9+oc=;
        b=JBLTC68YAYB56aLe1WlIAW3Jkp5BNqVUgWOCx/bJ1988hzuWz/0S1uth3xSIpjIuhy
         osDGw4elJBYMBclLvLy4w+f0wZy3zINHnyMnC1NPpCJWuWxNCaaJDgzXJouEbRJJKjaC
         wEKEitP+YA98GRGbPNJFzfP2aZ9MpYlTRbWnyFRcmm75tFGvbVqPPInjhdWvUHia95Fu
         pRi2rY1YLVGehA67xwzX6a6fitX7cX4fs11fHdlDieKJH6X+7L7MdsG/cFtTENstYkIV
         FVznxJKv+mnjFgTQwfG46aXlm5/JV/UWKBY+snNrqCj8OF35i48j3IYmYI10mHC8bxvK
         m8iQ==
X-Gm-Message-State: AOPr4FUKEET6qHXO7SqXNfflXCP1ME5Og/NQCqiu/S2EuPu+0ceN+SdPtQSy7zyzSgorU09jioS1/P8IwPgAcA==
MIME-Version: 1.0
X-Received: by 10.157.40.9 with SMTP id m9mr666020otb.23.1462939928354; Tue,
 10 May 2016 21:12:08 -0700 (PDT)
Received: by 10.202.215.193 with HTTP; Tue, 10 May 2016 21:12:07 -0700 (PDT)
Received: by 10.202.215.193 with HTTP; Tue, 10 May 2016 21:12:07 -0700 (PDT)
In-Reply-To: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Date: Wed, 11 May 2016 11:12:07 +0700
Message-ID: <CAEZPtU7Wv1EQ_GsFSNwmzJnaACD91Dej_pWS_TUvjnj-wCRB5g@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1134f38ec1e8690532893eae
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: pierre.php@gmail.com (Pierre Joye)

--001a1134f38ec1e8690532893eae
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

On May 10, 2016 10:25 AM, "Yasuo Ohgaki" <yohgaki@ohgaki.net> wrote:
>
> Hi all,
>
> It's not nice to work on the same code (i.e. session module) for
> multiple RFCs, but time is limited.
>
> I would like to hear from ideas/comments before I write patch for this.
> https://wiki.php.net/rfc/automatic_csrf_protection
>
> Thank you for your comments.

I will try to explain a bit my view on all the current efforts (welcome) to
secure session managements and related areas.

For the last one, I do not think php should take of it. If we still want to
do it, I won't do it all using what it is proposed. It should provide APIs,
easy to use and being used on demand (think of the password APIs for csrf
protection). INI settings are unflexible, hard to custom or fix later. The
pl=C3=A9thore of packages (and some very good ones like in slim fe) lead th=
e
way.

This RFC also makes many assumptions about erroneous  common cases as many
other said in this thread.

About all other RFCs to secure or improve sessions. My feeling is simple:

The current session code and designs is old, very old. It does not match
today ways to do things. Every time we fix it, I see a band aid fix.

In other words, rewrite the damned thing. Make clear, simple APIs, enable
secure behavior by default and limit the ini options to the very strict
minimum.

We all already used custom extensions for management anyway (serialization,
different backends, etc). It may not help shared hosting but these are kind
of hopeless in many regards.

> Regards,
>
> P.S. Precise session ID management is important, but this one is also
> important. I'll finish and start voting 2 active session RFCs soon. I
> may finish all of them hopefully.

--001a1134f38ec1e8690532893eae--