Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95144
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55866 invoked from network); 14 Aug 2016 20:14:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Aug 2016 20:14:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:57850] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 87/11-36656-B31D0B75 for <internals@lists.php.net>; Sun, 14 Aug 2016 16:14:53 -0400
Received: (qmail 122668 invoked by uid 89); 14 Aug 2016 20:14:47 -0000
Received: from unknown (HELO mail-qk0-f179.google.com) (yohgaki@ohgaki.net@209.85.220.179)
  by 0 with ESMTPA; 14 Aug 2016 20:14:47 -0000
Received: by mail-qk0-f179.google.com with SMTP id f123so29122577qkd.1
        for <internals@lists.php.net>; Sun, 14 Aug 2016 13:14:46 -0700 (PDT)
X-Gm-Message-State: AEkoouv7b9FxwCGlaXsf79bomkw40z7ZhSaPxusgb2ophBlaQLnyOQYbhbQYm6fVGI/nyjLweM1JYsGe8rbEmQ==
X-Received: by 10.55.39.81 with SMTP id n78mr29608334qkn.10.1471205680443;
 Sun, 14 Aug 2016 13:14:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Sun, 14 Aug 2016 13:13:59 -0700 (PDT)
In-Reply-To: <CAGa2bXYuO+y155BHG1hZSO75TzZqkH1RyU6C6jigEo9_goJoBA@mail.gmail.com>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
 <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
 <cc719c6c-598d-b103-96bf-eb3714a61365@thefsb.org> <CAGa2bXYNExeQLug=co8G1g+fdy6BXK9UbeyGkjss5s62R00Fdg@mail.gmail.com>
 <D3D49F41.70F4A%fsb@thefsb.org> <CAGa2bXYa-6gpyUH_yXwoob8aZA_UVjuRfzbrMxfdUp7j5jk8EQ@mail.gmail.com>
 <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> <CAGa2bXYuO+y155BHG1hZSO75TzZqkH1RyU6C6jigEo9_goJoBA@mail.gmail.com>
Date: Mon, 15 Aug 2016 05:13:59 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZoPtZ4anU=Q2RsgVssLW5O+a8f_-4sKAGj==MvJNrJ_g@mail.gmail.com>
Message-ID: <CAGa2bXZoPtZ4anU=Q2RsgVssLW5O+a8f_-4sKAGj==MvJNrJ_g@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

It seems importance of session ID validation that prevents collisions
is not recognized enough.

Brute force session ID hihack risk is described here.
https://www.owasp.org/index.php/Insufficient_Session-ID_Length

The expected number of seconds required to guess a valid session
identifier is given by the equation:

(2^B+1)/(2*A*S)

Where:

B is the number of bits of entropy in the session identifier
A is the number of guesses an attacker can try each second
S is the number of valid session identifiers that are valid and
available to be guessed at any given time

It says

"Now assume a 128 bit session identifier that provides 64 bits of
entropy. With a very large web site, an attacker might try 10,000
guesses per second with 100,000 valid session identifiers available to
be guessed. Given these assumptions, the expected time for an attacker
to successfully guess a valid session identifier is greater than 292
years."

292 years may sounds long enough. However, even though the document
explicitly states "it requires validated session ID", but it is clear
it assumes "session manager that validates session ID".

Let me paraphrase OWASP's document to show why.

"Now assume a 128 bit session identifier that provides 64 bits of
entropy. With a very large web site, legitimate users might creates
10,000 new session ID per second (New and regenerated session) with
10,000,000 valid session identifiers available to be collided. Given
these assumptions, the expected time web system to successfully has
collided identifier is greater than 2 years."

Assumption for security should be pessimistic. OWASP makes pessimistic
assumption for entropy in session ID, probably because proving "CSPRNG
generates good quality of random bytes" is difficult.

10M active session is possible even with relatively small sites
because there are users who use very long session ID life time for
"auto login". 10K new session ID is possible for relatively small
sites also because OWASP recommends session ID regeneration for every
15 minutes.

IMHO, it's nonsense to argue "Session ID collision very rare and
cannot happen", "PHP Session ID safe without collision detection",
etc.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net