Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93253 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99456 invoked from network); 11 May 2016 21:40:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 21:40:15 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.171 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.171 mail-qk0-f171.google.com Received: from [209.85.220.171] ([209.85.220.171:33045] helo=mail-qk0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 07/13-28272-EB6A3375 for ; Wed, 11 May 2016 17:40:15 -0400 Received: by mail-qk0-f171.google.com with SMTP id n63so33283514qkf.0 for ; Wed, 11 May 2016 14:40:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mB/Z0OfyFs4UDz6nhZUztWWLDXBMGchsdNIEJr0hcDA=; b=Ze/vIf17kHQbgq08QpRjZE+nZC3otRrZ46mfVpzr8BhfyUcnaDgecr9xV58VoUBMU7 6jiFiHHpe/v8NYivjJIPXe27s3Y3c+pkj/luMdI15EHWWrbnAh34T7Lq9ByRc41aay0c udaJiBJ3eKJjkPymYecsR1LwBEagMrdLLpsSCOsTwQ3qhAoK+3cnfp6Ei9qJCMNQr8mJ Q2cPpqEx5iXwBj78wr75sQnNh5U32az32tJ970WYGr03+7qloHyWOdADFjxKxkdeyUWx KOoN72pVkrPj9bP8WhU3L5TzvMq4ztGAJo9x5VsYAaKu90bxY/5z0qDvby2a4iytdN6/ iGxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=mB/Z0OfyFs4UDz6nhZUztWWLDXBMGchsdNIEJr0hcDA=; b=XHhdZ1vuF0GuwEKaqOzZE6NVXM/ZoYWvf1SJDVIiX4nzKNtBA1NVt8Di7qqfEaOCBz 4tznP/p/urDM9PTi1CKQO7OQKv5gq5CNcVWvFKUjYlqof6CwNVzNdqTVtkY2SkzEzXOc E8U/7WJaf337Vx+RX7QSn+a5rKjONPClimYNR4omEDDC54ildPWepXAnLkxYn3tDgQ44 f+WNI30wxg6GFDMGJefrVjqbWEgVgPzy/IRT8A+8w+othQVXHAG7WAMq2RXCfHNMF8Q4 V8nobKsbc1vW4Gj7YMvo1j6SDfpdtrNuogetwQ9TvA6sZbcmDA784+OZa16yyidcaQFl B3IA== X-Gm-Message-State: AOPr4FWMrFRur8t/hXToGqCZWzq+4cEW8bGjoapdf5IPQ01GVYx99FMpnU0fSIwsLtOL/RN475PxkqAiOORhJA== X-Received: by 10.55.80.136 with SMTP id e130mr6517135qkb.28.1463002812763; Wed, 11 May 2016 14:40:12 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 14:39:32 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com> <4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com> Date: Thu, 12 May 2016 06:39:32 +0900 X-Google-Sender-Auth: VTlML3rrErRxR_Y1taeUeatoPHA Message-ID: To: Andrey Andreev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Andrey, On Wed, May 11, 2016 at 10:40 PM, Andrey Andreev wrote: > Hi, > This gets a -1 from me as well. > > Much has been said already about why this is a bad idea, to the point where > I don't know why there's still discussion around it. But here's one more > reason ... > > It assumes, and thus also encourages, that users have an active session at > all times - this is bad. You're not supposed to start a session for a user > *until they have logged-in*. You don't have to use it if don't need it or has other complement such as double submit cookie. > If you do, then unless you're not storing session data server-side (which > is hard to do properly and is not supported by ext/session), you're almost > certainly vulnerable to some form of DoS (e.g. inodes and/or memory/storage > being filled-up), exhaustion of free IDs, entropy available for new session > ID generation, pre-fetching of IDs to work around use_strict_mode > restrictions, etc. None of these arguments make sense... It does not consume much resources. Moreover, this RFC's CSRF protection requires less resources than most web frameworks' implementation that use session for CSRF protections. BTW, use_strict_mode is not a "restriction", but a mandatory requirement for proper session management. What current session manager is broken is other parts like inadequate session data lifetime management. > > Therefore, while the session store *after login* is suitable for token > storage, CSRF protection by default just doesn't belong in ext/session. Session task, by its definition, is to distinguish and manage state of requests. Session must distinguish requests, i.e. must keep authenticity. CSRF is obvious authenticity issue. Some of us see session manager as just a storage, but it's not a correct definition. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net