Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95154
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74852 invoked from network); 14 Aug 2016 22:40:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Aug 2016 22:40:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:58052] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D8/C4-36656-853F0B75 for <internals@lists.php.net>; Sun, 14 Aug 2016 18:40:26 -0400
Received: (qmail 129306 invoked by uid 89); 14 Aug 2016 22:40:21 -0000
Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170)
  by 0 with ESMTPA; 14 Aug 2016 22:40:21 -0000
Received: by mail-qk0-f170.google.com with SMTP id t7so30710127qkh.0
        for <internals@lists.php.net>; Sun, 14 Aug 2016 15:40:21 -0700 (PDT)
X-Gm-Message-State: AEkoousz4ovARYzPJqFAYUmT8ZMUp7u41rW+G/QgcuQgfCeHkTMgyXCRumfq9iVmNw7sbsb8j/O6f/iyoQb7HA==
X-Received: by 10.55.135.198 with SMTP id j189mr12569449qkd.60.1471214415719;
 Sun, 14 Aug 2016 15:40:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Sun, 14 Aug 2016 15:39:35 -0700 (PDT)
In-Reply-To: <CAGa2bXZoPtZ4anU=Q2RsgVssLW5O+a8f_-4sKAGj==MvJNrJ_g@mail.gmail.com>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
 <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
 <cc719c6c-598d-b103-96bf-eb3714a61365@thefsb.org> <CAGa2bXYNExeQLug=co8G1g+fdy6BXK9UbeyGkjss5s62R00Fdg@mail.gmail.com>
 <D3D49F41.70F4A%fsb@thefsb.org> <CAGa2bXYa-6gpyUH_yXwoob8aZA_UVjuRfzbrMxfdUp7j5jk8EQ@mail.gmail.com>
 <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> <CAGa2bXYuO+y155BHG1hZSO75TzZqkH1RyU6C6jigEo9_goJoBA@mail.gmail.com>
 <CAGa2bXZoPtZ4anU=Q2RsgVssLW5O+a8f_-4sKAGj==MvJNrJ_g@mail.gmail.com>
Date: Mon, 15 Aug 2016 07:39:35 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZV0cN8zxP1Buv_wtZJtXMcix2cbx1+hWgb_VbMOZqe-w@mail.gmail.com>
Message-ID: <CAGa2bXZV0cN8zxP1Buv_wtZJtXMcix2cbx1+hWgb_VbMOZqe-w@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

"The default 128 bits Session ID is large enough to ignore collisions"
discussion is added for new readers and people couldn't follow
discussion in ML threads.

https://wiki.php.net/rfc/session-create-id#discussions

For the record, when session module was implemented, the way it is now
is considered good enough for most users. Circumstances change as time
goes by.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


On Mon, Aug 15, 2016 at 5:13 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi all,
>
> It seems importance of session ID validation that prevents collisions
> is not recognized enough.
>
> Brute force session ID hihack risk is described here.
> https://www.owasp.org/index.php/Insufficient_Session-ID_Length
>
> The expected number of seconds required to guess a valid session
> identifier is given by the equation:
>
> (2^B+1)/(2*A*S)
>
> Where:
>
> B is the number of bits of entropy in the session identifier
> A is the number of guesses an attacker can try each second
> S is the number of valid session identifiers that are valid and
> available to be guessed at any given time
>
> It says
>
> "Now assume a 128 bit session identifier that provides 64 bits of
> entropy. With a very large web site, an attacker might try 10,000
> guesses per second with 100,000 valid session identifiers available to
> be guessed. Given these assumptions, the expected time for an attacker
> to successfully guess a valid session identifier is greater than 292
> years."
>
> 292 years may sounds long enough. However, even though the document
> explicitly states "it requires validated session ID", but it is clear
> it assumes "session manager that validates session ID".
>
> Let me paraphrase OWASP's document to show why.
>
> "Now assume a 128 bit session identifier that provides 64 bits of
> entropy. With a very large web site, legitimate users might creates
> 10,000 new session ID per second (New and regenerated session) with
> 10,000,000 valid session identifiers available to be collided. Given
> these assumptions, the expected time web system to successfully has
> collided identifier is greater than 2 years."
>
> Assumption for security should be pessimistic. OWASP makes pessimistic
> assumption for entropy in session ID, probably because proving "CSPRNG
> generates good quality of random bytes" is difficult.
>
> 10M active session is possible even with relatively small sites
> because there are users who use very long session ID life time for
> "auto login". 10K new session ID is possible for relatively small
> sites also because OWASP recommends session ID regeneration for every
> 15 minutes.
>
> IMHO, it's nonsense to argue "Session ID collision very rare and
> cannot happen", "PHP Session ID safe without collision detection",
> etc.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net