Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93194
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73680 invoked from network); 11 May 2016 04:46:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 04:46:29 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.50 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.50 mail-qg0-f50.google.com  
Received: from [209.85.192.50] ([209.85.192.50:35384] helo=mail-qg0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/F1-64493-429B2375 for <internals@lists.php.net>; Wed, 11 May 2016 00:46:28 -0400
Received: by mail-qg0-f50.google.com with SMTP id f74so18278304qge.2
        for <internals@lists.php.net>; Tue, 10 May 2016 21:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=Hw802PTGWT6RtSEoVQSpcNgZxRyy13VWfBSqo3pCUmE=;
        b=0dznfbGyPmjpIVnVMrN88BXwT7xG/wL0EGG7C5UU/vjZmTcz7PmPQfk9ai+p27QrZn
         5sMG23N2SL6XiYsEWzNAYR4iSft7fhMurXgMIDzLeQAkuvABabsy7ALFjpDI/xTr2xB2
         njWAbqpQpCa5uZzMeTn4o8Ro+IvUhNImwIGSjrr8MgSSfGd+JnJ86bSiofC6sLnNsnVf
         SL9fCwWictYjbOnyHbnKPi23+16a1+GmJLYRCRyzJ24D1mWzyuFYm474tlO5KKoPl89G
         Qigfid6LAMVKSh5CSyQtEvsuUHzcNWmwJSj3u52tZKfMauvGshu2FTaOJwBH5L0uP6gE
         uQZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-transfer-encoding;
        bh=Hw802PTGWT6RtSEoVQSpcNgZxRyy13VWfBSqo3pCUmE=;
        b=Rbe1dQNK7oGpGc7BLYi00XiN3S6CAuX5RT4tYeiJrGyRlTGKNjyHkswzGzZPUJw/iV
         0xT0YOlGanTU9caVyvFcC2H0RjSU4O0ycsUDM7fQMctL1AL4722PsQNbr0d4WPOw1Szq
         Lm+8BUwVD1l882oh6vH27U3/pCqekTP3hcVZlMaAkVFiV9DObV6qSY36NtLctNQNpDvU
         pJuhhNhQMi8eTTPHKDDFrag/4ISHCqfLXw5g3tt6W6yOqL+chl/1+vdxzFWbEWqYD98A
         p4O5Ae+vfOWQZGGXftsrKu2OrA/S2WPXbyHO7AF5C41byqWgs9+dijzUIP+Erob6aaxa
         dTNQ==
X-Gm-Message-State: AOPr4FXG1hdsV6Qm4t7dDSDzrnkIj9nFOjnRhoNKMTRbOA9SkytSEJnhmS+LE3mXH6Kz0wTaZiT+/veYsi/YDg==
X-Received: by 10.140.196.74 with SMTP id r71mr1243606qha.41.1462941985373;
 Tue, 10 May 2016 21:46:25 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 21:45:45 -0700 (PDT)
In-Reply-To: <CAEZPtU7Wv1EQ_GsFSNwmzJnaACD91Dej_pWS_TUvjnj-wCRB5g@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <CAEZPtU7Wv1EQ_GsFSNwmzJnaACD91Dej_pWS_TUvjnj-wCRB5g@mail.gmail.com>
Date: Wed, 11 May 2016 13:45:45 +0900
X-Google-Sender-Auth: rEa_JI9W3K4W9OF79Oc4EL9WR4o
Message-ID: <CAGa2bXZNtokRG8e73XCbhFsaqXZEfTM64zEdWGc25zYwYWTbWg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

On Wed, May 11, 2016 at 1:12 PM, Pierre Joye <pierre.php@gmail.com> wrote:
> On May 10, 2016 10:25 AM, "Yasuo Ohgaki" <yohgaki@ohgaki.net> wrote:
>>
>> Hi all,
>>
>> It's not nice to work on the same code (i.e. session module) for
>> multiple RFCs, but time is limited.
>>
>> I would like to hear from ideas/comments before I write patch for this.
>> https://wiki.php.net/rfc/automatic_csrf_protection
>>
>> Thank you for your comments.
>
> I will try to explain a bit my view on all the current efforts (welcome) =
to
> secure session managements and related areas.
>
> For the last one, I do not think php should take of it. If we still want =
to
> do it, I won't do it all using what it is proposed. It should provide API=
s,
> easy to use and being used on demand (think of the password APIs for csrf
> protection). INI settings are unflexible, hard to custom or fix later. Th=
e
> pl=C3=A9thore of packages (and some very good ones like in slim fe) lead =
the way.
>
> This RFC also makes many assumptions about erroneous  common cases as man=
y
> other said in this thread.
>
> About all other RFCs to secure or improve sessions. My feeling is simple:
>
> The current session code and designs is old, very old. It does not match
> today ways to do things. Every time we fix it, I see a band aid fix.

I agree partly.
The way session ID is managed is obsolete and insecure. Therefore, I propos=
ed
precise session management.

> In other words, rewrite the damned thing. Make clear, simple APIs, enable
> secure behavior by default and limit the ini options to the very strict
> minimum.

I have different point of view.
Current session manager is like UDP. Users has to do lot of work to
maintain state properly. Session manager should be like TCP. IMO.
Users shouldn't have to care about details how session/state is
maintained.

Thank you for your comments. I've updated the RFC. You might like this vers=
ion.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net