Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94583
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30876 invoked from network); 20 Jul 2016 09:07:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jul 2016 09:07:52 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:55930] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 95/29-52781-56F3F875 for <internals@lists.php.net>; Wed, 20 Jul 2016 05:07:51 -0400
Received: (qmail 48967 invoked by uid 89); 20 Jul 2016 09:07:46 -0000
Received: from unknown (HELO mail-qt0-f180.google.com) (yohgaki@ohgaki.net@209.85.216.180)
  by 0 with ESMTPA; 20 Jul 2016 09:07:46 -0000
Received: by mail-qt0-f180.google.com with SMTP id 52so22909405qtq.3
        for <internals@lists.php.net>; Wed, 20 Jul 2016 02:07:45 -0700 (PDT)
X-Gm-Message-State: ALyK8tKb/CFi+5B+KuEMjyMMBU4YHxqG34EhtABfOFbWiFHRbYw4MsaDuv9SjW+J8whLtGFHL0zXhRcF7myqNQ==
X-Received: by 10.200.38.107 with SMTP id v40mr16643671qtv.76.1469005659368;
 Wed, 20 Jul 2016 02:07:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Wed, 20 Jul 2016 02:06:59 -0700 (PDT)
In-Reply-To: <CAEYWF=4NQ3w-VWeqF89LTpFaqA1wvf7ctnwHsVRcFy+p1cP-tA@mail.gmail.com>
References: <CAGa2bXbZgGe3aq--SZ3D3AC1bYX7mTctDC-6CUy--X+UZ9XEiQ@mail.gmail.com>
 <CAGa2bXYkfG4o-gUTGohpkdQ3VWn_5B7u_avTX3raHX=XxZ+vBw@mail.gmail.com> <CAEYWF=4NQ3w-VWeqF89LTpFaqA1wvf7ctnwHsVRcFy+p1cP-tA@mail.gmail.com>
Date: Wed, 20 Jul 2016 18:06:59 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaEz6hq-a9yDB=m5xn2e=b7c27prRr39px5arPWN9WBRw@mail.gmail.com>
Message-ID: <CAGa2bXaEz6hq-a9yDB=m5xn2e=b7c27prRr39px5arPWN9WBRw@mail.gmail.com>
To: Bishop Bettini <bishop@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Enable session.use_strict_mode by default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Bishop,

On Wed, Jul 20, 2016 at 9:47 AM, Bishop Bettini <bishop@php.net> wrote:
>> To decide next move, I would like to start hearing the reason why from
>> those who are against this RFC.
>
>
> I abstained from voting. While I would be a "Yes" in principle, two specific
> statements in the RFC made me wary of following that instinct:
>
> 1. "external session data storage may have noticeable impact"
> 2. "lost sessions are far better than stolen sessions"
>
> I can hand waive the first one away, as performance can be optimized
> usually. But I can't really agree that, in general, lost sessions are "far
> better" than stolen ones: if lost sessions happen 1% of the time, and stolen
> sessions happen .001% of the time, then to me lost sessions are worse.

Thank you for feedback!

1. This overhead could be avoided. I'll add this to my task list.
2. This could be avoided by timestamp based session management.

Lost sessions could happen:
 - When session_regenerate_id(true) which deletes old session data immediately.
by:
 a. Race condition in browser by multiple requests. (Result in empty session ID)
 b. Race condition between server and browser by multiple requests.
(Result in empty session data)
 c. Unstable network connection. (Server use new session ID, but
browser didn't get new ID. Result in empty session data)

It is advised to change session ID periodically. Obsolete(old) session data
should be _deleted_. i.e. Simply calling session_regenerate_id() is
not good enough because delete flag is false by default. However
immediate removal causes above races. Therefore, short TTL for
obsolete session is required.

Chance of c. does not change regardless of session.use_strict_mode.

session.use_strict_mode=1 increases chance of a. and b. because session
module will try to set new session ID many times. e.g. Session could be
expired while browser is loading resources. It uses multiple connections for
access to images, css, js, etc. These resources could be using session for
access control, customization, etc and result in many set-cookie headers
for session. i.e.  many set-cookies more chances for races.

session.use_strict_mode=0 uses supplied old session ID and less likely to
have race. i.e. No set-cookie headers are sent for new session ID.

I cannot mention specific probability change. Hopefully, it would not
be too much.
(I don't like this, so I proposed timestamp based session management RFC)

If session module removes old session data a little after
session_regenerate_id() is called, chances to have races will not increase.

This could be done by user script also. It might be an off topic, but FYI.

PHP 5.x and 7.x
--- Set TTL before regenerate and save ---
$_SESSION['TTL'] = time() + 300;
session_commit();
session_start();
session_regenerate_id(); // It simply generates and sets new session ID.
unset($_SESSION['TTL');
------------------------------------------------------------

PHP 7.x only. More efficient.
--- Set TTL before regenerate and save ---
$_SESSION['TTL'] = time() + 300;
session_regenerate_id(); // It writes and closes old session data and
                                    // creates new session data since 7.0
unset($_SESSION['TTL'])
-----------------------------------------------------------

And check TTL value where normal session_start() is called and destroy
when it is expired.

My other declined RFC does this for users automatically (no code at all)
as well as other convenient things.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net