Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96147
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35655 invoked from network); 26 Sep 2016 06:03:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2016 06:03:03 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.177 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.177 mail-pf0-f177.google.com  
Received: from [209.85.192.177] ([209.85.192.177:35612] helo=mail-pf0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F1/4E-11573-61AB8E75 for <internals@lists.php.net>; Mon, 26 Sep 2016 02:03:02 -0400
Received: by mail-pf0-f177.google.com with SMTP id s13so27635543pfd.2
        for <internals@lists.php.net>; Sun, 25 Sep 2016 23:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=SxASxdRgdHdsWS2zaylVagTj4urcW+70Yq4fGclitoQ=;
        b=M7z2LfJoaLFO917irQvRLEm94K+VDWq6iP/TFKecxeA6Qk9Sp9zmvAoBQerkRIvoM0
         gEGNtNA1Kp6qrE0xyjxJR3tgPm08iMaEzuiGj2WymAYQ/lW+Zt4SSRB0lMjxi7H1JRUM
         5hEvHt5YRKvFVpWq8oPqH5qbFCxL9y29VBZNgIj7W7CYfPD/FrgoTvWoN1PIXoVm1E+k
         SQc/vz+8mphm9oRDdhzkaoooHxUq8+z+0AL03EaFHm2Vd/gJbBDuFZY3XWADVhXuxQ46
         rUbidU53jZw7QCU29aFdRGSvh4O22kccaTPR/ALxn4K5JIzZQFIe3LkQd/2GarTMR2vT
         pAhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=SxASxdRgdHdsWS2zaylVagTj4urcW+70Yq4fGclitoQ=;
        b=cmSW0COztD+seRqJFIpKsAf5Cirk/zriPhlk26LoojjRwjsHZIBCY96c9GtmIciUno
         LRKZ6qVALlv+R6xKBm5HX9aV0hDsge2Xqd+NeIz8VTeVP8TKF3J8K54pm0VxqWf21PRo
         IVM0Dz2bBhTjN9DF5oTlzTFAz2hUgAL0SZ0vNS8WkJNOFbqYYifSc6FeD3yAuj6YorhV
         g73CLoQCZToD3WcLeRk4RzGjD5lgNJC8tZfkMwhOET9uhsxjwY2tL/QRYh0zGUrJgY+D
         Eqxav38cEYKi1BFeW5+caHDkPglbZ2gkXQBtIF5kvU0vB+zd6SyZbeV8iS7lpoK7MV1D
         dHnA==
X-Gm-Message-State: AE9vXwOLGyj2eNr9o/JPO2DkphfVvNaEg7bhbn3HiFVOThkirvnY29etN6Bxtg/CfikENQ==
X-Received: by 10.98.80.78 with SMTP id e75mr35914591pfb.131.1474869779538;
        Sun, 25 Sep 2016 23:02:59 -0700 (PDT)
Received: from Stas-Air.local ([198.8.80.37])
        by smtp.gmail.com with ESMTPSA id ad15sm27484348pac.33.2016.09.25.23.02.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 25 Sep 2016 23:02:59 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
Message-ID: <c90779f0-0034-b3fc-e2fe-e19503a196ce@gmail.com>
Date: Sun, 25 Sep 2016 23:02:58 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Fixing halfway implemented session management -
 timestamp based session management OR remove session_regenerate_id()
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> Timestamp based session management is required to manage session as it
> should. I've updated the session manual pages a while a ago to explain
> why.

Could you explain what you mean here? "As it should" is kind of broad :)

> http://php.net/manual/en/session.security.php
> http://php.net/manual/en/function.session-regenerate-id.php

It looks like those need some polishing. If somebody with native English
volunteers it'd be great, otherwise I'll do it a bit later. It'd be also
nice to avoid claims of "mandatory" and instead just put explanations of
what each option is doing and what is the recommended setting. Nothing
that is controlled by an option is "mandatory" by definition.

I also see http://php.net/manual/en/function.session-regenerate-id.php
"warning" which I assume was added by you claims "Immediate session data
deletion disables session hijack attack detection and prevention also."
- I do not think this is accurate. Or at least it's not clear enough if
I can't properly understand what it means :)

> Although session module has over 10 years of history, session module
> lacks basic feature and is not implemented fully yet. As I mentioned
> in above manual pages, it does not have _mandatory_ timestamp based
> session management.
> 
> I proposed implementation [1], but it was declined even if it is
> mandatory for session module to manage session data correctly and
> precisely.

Obviously, other people disagree about how mandatory it is. :)

> Some may think "timestamp management should be part of user task", but
> even simple basic feature like session_regenerate_id() can NOT work as
> it supposed without timestamp based management. (Other mandatory tasks
> have problems also, but I ignore them for now)

I was under impression it already works as it supposed to, but obviously
you are of different opinion, so I'd like to hear details about why. If
you're talking about the case where network connection drops in the
middle of reading the new session ID, I still think it is a very exotic
and rare use case and claiming this function needs to be deleted because
it doesn't cover this case makes little sense to me.

I've been using PHP servers with session_regenerate_id() for many years
and never heard complaints about this. Of course, your user base may be
different, but I still question that we need to implement a complex
system and overhaul most of the session management to serve this rare case.

> There is userland workaround as described. User can implement their
> own session_regenerate_id() as described in the manual page.
> 
> Since session management is very important feature for web apps, we
> shouldn't keep providing halfway implemented API forever.
> Implementation or removal is required.
>   timestamp based (precise) session management again.

What substantial changes do you propose to make since the previous RFC?
We can't just keep voting on the same thing until we get result that you
like, that's not how it works.

>   session_regenerate_id() deprecation now and removal in future version.

This makes no sense to me, at least without a lot of additional
explanation.

-- 
Stas Malyshev
smalyshev@gmail.com