Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95145 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57413 invoked from network); 14 Aug 2016 20:21:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Aug 2016 20:21:28 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:57854] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/61-36656-5C2D0B75 for ; Sun, 14 Aug 2016 16:21:26 -0400 Received: (qmail 122945 invoked by uid 89); 14 Aug 2016 20:21:22 -0000 Received: from unknown (HELO mail-qk0-f175.google.com) (yohgaki@ohgaki.net@209.85.220.175) by 0 with ESMTPA; 14 Aug 2016 20:21:22 -0000 Received: by mail-qk0-f175.google.com with SMTP id l2so29145906qkf.3 for ; Sun, 14 Aug 2016 13:21:21 -0700 (PDT) X-Gm-Message-State: AEkoouseVp9Cnb3mRtzEMRBDYxunGi4okJVPVzj0I4UnF6H+VpB3ZAKnTYZfjH/PzAKT6b6GWBq+SLNc7spZGQ== X-Received: by 10.55.76.17 with SMTP id z17mr27927982qka.96.1471206076061; Sun, 14 Aug 2016 13:21:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Sun, 14 Aug 2016 13:20:35 -0700 (PDT) In-Reply-To: References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Date: Mon, 15 Aug 2016 05:20:35 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: yohgaki@ohgaki.net (Yasuo Ohgaki) On Mon, Aug 15, 2016 at 5:13 AM, Yasuo Ohgaki wrote: > Let me paraphrase OWASP's document to show why. > > "Now assume a 128 bit session identifier that provides 64 bits of > entropy. With a very large web site, legitimate users might creates > 10,000 new session ID per second (New and regenerated session) with > 10,000,000 valid session identifiers available to be collided. Given > these assumptions, the expected time web system to successfully has > collided identifier is greater than 2 years." > > Assumption for security should be pessimistic. OWASP makes pessimistic > assumption for entropy in session ID, probably because proving "CSPRNG > generates good quality of random bytes" is difficult. > > 10M active session is possible even with relatively small sites > because there are users who use very long session ID life time for > "auto login". 10K new session ID is possible for relatively small > sites also because OWASP recommends session ID regeneration for every > 15 minutes. I forgot to mention that "Session management without timestamp will situation worse" because session_regenerate_id() creates many active sessions by default. (Please refer to decline RFC timestamp managed session https://wiki.php.net/rfc/precise_session_management ) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net