Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93227 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37407 invoked from network); 11 May 2016 11:36:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 11:36:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=kinncj@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=kinncj@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.178 as permitted sender) X-PHP-List-Original-Sender: kinncj@gmail.com X-Host-Fingerprint: 209.85.220.178 mail-qk0-f178.google.com Received: from [209.85.220.178] ([209.85.220.178:34052] helo=mail-qk0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 45/48-28272-53913375 for ; Wed, 11 May 2016 07:36:21 -0400 Received: by mail-qk0-f178.google.com with SMTP id r184so23050461qkc.1 for ; Wed, 11 May 2016 04:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=dpynbgzd3sbok70Aj6qcWCAwJ/pS55sELxn64/gUaR4=; b=Q40SHgWm5JJIiXFxEQcRUOpIlclrqe60EEaOvaVKYFWUWUmf5vXvmwPmygGt3F5X1d jyG+Sqn2sUWD1jXPFKEMPCZiSzxAvDHLa6uN2lBH+siWiQYSBwjOLP/EvZsI3sd3wiZE /7Z7EzrDi2GLal8KVzMDeDsL1RRHxgXS8eDC/4k6C9IXE3rLK5UpfbzRrfPNY/4VT7rt ljCSmVTy4bLwQTpci9FG7OfEpW1RMCcnH4ubEpwywcQvxIhUoP4LbBzgp3/LaZVdv3ys JgpGRr3UtQk+iMHpFr5CwJl461rscmNs5dVfkNjeM+6h/4yQuHnzjh6y65pUjoaMOHq8 WtWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dpynbgzd3sbok70Aj6qcWCAwJ/pS55sELxn64/gUaR4=; b=EU5s0sq3uT44AP5bhCNakH0DyrtkZXck4/Ao6LK82k746KGvmyM5YUVLUVj6PKqQ/z /0UaiwEDIuxLv5wlhxHQ5vc0d3FrEN2xszGTwUn7qX4v3/TAzaVHKeFkWpdGatNP87s7 bpVGvZhJuO86ifxgTfMBbz7Pdq+JedFazdY0KhGzNCIqtGUmNY/KKMJiV3M1uAgEkFfH GJPUs3ho9ZBhz83BIqUN0350Ah7mCVl+tIc9rI0FKr/Tbp1xrQs7cihSu7xT9Fkw9rMe hn/NhkCVapcYxID+MbeN8BP1FOuuVcsNYLIL7oTO54Qymf1t1/a2jQdKXMQ2eXJIzd4i UyAA== X-Gm-Message-State: AOPr4FVC8QbgY6R8i1dd9XOvRKJ3wohiWD64TnOv1vG0dwAE79P/E3rM8xNrDP46nDq3jReVpzpUWHjFkhmfQA== MIME-Version: 1.0 X-Received: by 10.55.123.130 with SMTP id w124mr2893806qkc.164.1462966578877; Wed, 11 May 2016 04:36:18 -0700 (PDT) Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 04:36:18 -0700 (PDT) Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 04:36:18 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 07:36:18 -0400 Message-ID: To: Arvids Godjuks Cc: internals@lists.php.net, Yasuo Ohgaki , Niklas Keller , Stanislav Malyshev Content-Type: multipart/alternative; boundary=94eb2c05ab5e409bc705328f7323 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: kinncj@gmail.com (=?UTF-8?B?S2lubiBKdWxpw6Nv?=) --94eb2c05ab5e409bc705328f7323 Content-Type: text/plain; charset=UTF-8 You're making confusion between CSRF and Session Hijacking... In any moment I mentioned about hijacking someone else's session, but to still being able to CSRF (Cross Site Request Forgery). Any other remote source would still be able to use your "example". "A is using your own site's contact form, with a plotted csrf token as a hidden field in the form, and the same stored in the session". With your token solution for asynchronous requests: "A is using your own site's contact form, with a csrf token remotely requested, and the same stored in its session". "B is spamming your site's contact form, with a csrf token remotely requested, and the same stored in its session". Which means: B still being able to CSRF. Which is tottaly different from Session Hijacking. On May 11, 2016 4:54 AM, "Arvids Godjuks" wrote: > Hi Yasuo! > > 2016-05-11 11:05 GMT+03:00 Yasuo Ohgaki : > > > Hi Arvids, > > > > On Wed, May 11, 2016 at 4:33 PM, Arvids Godjuks > > wrote: > > > i'm -1 on the CSRF in the sessions at all. Even more -1 on having it on > > by > > > default and having any INI settings that affect how engine processes > > data in > > > runtime. > > > People just don't learn until they shotgun themselves I guess. > > > > Override them if you don't like admins to set INI values. I've > > modified session_start() so that it can set INI values as function > > parameter. > > http://php.net/session_start > > > Admins can just forbid to change any settings. And there is an ini setting > "disable_functions" and alike. They will setup up session auto start and > forbid usage of the session_start. And force the CSRF. Been in similar > situations, done that, never want to deal with it again. > I'm not even talking about the fact, that I may have reasons to use a > different hashing algorithm in the first place. > Dealing with JS side, when you need to pass the CSRF token there is next > can of worms. > And then you get to the part, where you need to use a distributed session > management, that has it's own can of worms. And forcing CSRF handling into > the session module probably is going to make it hard to deal with it at > all. > > So no, sessions are sessions, they should have only one thing to be > responsible for - storing data. Nothing else. It's a module that already > has a lot of issues. What you are proposing, is to do what APC did - mixing > code opcache with shared memory storage. We all know how it ended. > > > > > > > > > What I personally would be for, is a CSRF aPI module that comes as > > default, > > > like the Password API one, that gives ability to generate good quality > > CSRF > > > tokens and manage it. > > > > Imagine number of CSRF vulnerabilities in PHP apps. It's countless. > > > > Letting users to choose right way is not an good options. It is > > proven. I've added session.use_strict_mode (disallows permanent > > session hijack, etc) many years ago, but fair number of users aren't > > enabling this option. I suspect most majority of users aren't enabled > > it. Even if we provide solution, it's hard to be adopted. If there is > > no solution, outcome is easy to imagine. IMHO. > > > > Users had access to good PRNG. Even if mt_rand() is used, it is hard > > enough for attackers to guess, yet there are countless CSRF > > vulnerabilities. What's the reason to ignore the fact, huge number of > > CSRF vulnerabilities exist in PHP apps? > > > > I cannot understand rationale behind you and others think it should be > > users task completely... > > > > If user does not want to use CSRF, you can't force him. And realisticly > speaking, how are you going to force the tokents on the GET urls? Rewrite > them. In JSON? In XML? etc? C'mon, these days url's there are single page > apps with their own routing and stuff and you will never get a CSRF token > in any automated maner there. It needs to be done by developer of the app. > > > > > > Anyway, I fails to see the reason why PHP should not invalidate CSRF > > attacks against POST requests with 2 simple parameter or INI... > > > > Because they may be out of your control and just forced on you by a 3rd > party. Not to mention that 3rd party libraries will do stuff that will not > take into account this setting or do some hack, and that will negate any > security. > > > > > > > > -- > > Yasuo Ohgaki > > yohgaki@ohgaki.net > > > --94eb2c05ab5e409bc705328f7323--