Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96154 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76196 invoked from network); 26 Sep 2016 18:02:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Sep 2016 18:02:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.175 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.216.175 mail-qt0-f175.google.com Received: from [209.85.216.175] ([209.85.216.175:34129] helo=mail-qt0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A4/C0-04248-BB269E75 for ; Mon, 26 Sep 2016 14:02:35 -0400 Received: by mail-qt0-f175.google.com with SMTP id 38so85865433qte.1 for ; Mon, 26 Sep 2016 11:02:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=QGVTPP0WJ3AyhdBYpQ/W1Qme7fUhGAUkD3b9MJkrcqo=; b=p2Lz9UN3wZV6JFGrA+kvWExYgvf0K+1eF6qJpUnWUY1KlfHG0a3QpQWP4DNvmIxv/j yvjKYyKVuJQRNPFO9Xk5uagY50N7YCs3+ACGLTE6gF2KSLsimyaMOJIH/HPVaai/AziG cncAuzSG985Vl4BzqFRZ0RVE2f5dlbjWHsgV0wR6q9u2WtTY6hriNJtgPQxBpvT0b3jh 1NXm6mUD375jA8Oj3KHImcr94+JoFpD0kWVW+5RXs1Xy76w0PVuHzB9OYa70fKliArgR rAL8yApynH7UR0BbiAxKV1Y80S4WNCGducSMm2GamlD9AjM6nkq89y3Xtxckc2qBq8Fx T+uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=QGVTPP0WJ3AyhdBYpQ/W1Qme7fUhGAUkD3b9MJkrcqo=; b=kWowh6m0qww3mP6UdReMLkruG7Nii91zCofLbi/+F/9htlDrJldmXgrf+tHrk5TlKm cN7i9eto/DNcqLchiCmosJXrctrHAbL/GrPHuYG+LcahVaBu4byo+nxGhnWbBjcwLp1K QWPAhFELgY6YurQkEob7yja+gM+cp+iD96tsvVdSMO7F8bHEi3ht9wbqeDxsYJEkaJk3 Shntlvk+CDSAvPRBWpZuEZslO6Bn21lL7cYnoLTkerv/HV8ooXVU3FoMXlG8Qcd8eewk dcvAKc7lmOxsVUxEP/6NWSKZ+uie6/7IUVsNjtGExSkRuRz5qFDrRnrKvh5Wra/HI7tU uwcQ== X-Gm-Message-State: AA6/9RndIk7knFmkEvyC8qRgBIkYyolIeXqDL6oa1QmjEE0X3q6CC++CIwTKN5YukfqlHw== X-Received: by 10.28.14.20 with SMTP id 20mr17169660wmo.6.1474912952158; Mon, 26 Sep 2016 11:02:32 -0700 (PDT) Received: from [192.168.1.5] ([95.148.161.240]) by smtp.googlemail.com with ESMTPSA id q10sm12411882wme.6.2016.09.26.11.02.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Sep 2016 11:02:31 -0700 (PDT) To: internals@lists.php.net References: Message-ID: <327bf6ed-cd4a-dd4a-3d77-5a79e645d2d6@gmail.com> Date: Mon, 26 Sep 2016 19:02:29 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Fixing halfway implemented session management - timestamp based session management OR remove session_regenerate_id() From: rowan.collins@gmail.com (Rowan Collins) On 26/09/2016 07:02, Stanislav Malyshev wrote: >> http://php.net/manual/en/session.security.php >> >http://php.net/manual/en/function.session-regenerate-id.php > It looks like those need some polishing. If somebody with native English > volunteers it'd be great, otherwise I'll do it a bit later. I was about to make the same comment. I'm sure there are some very important points in here, but it's quite hard to follow. For instance, the section "Non-Adaptive Session Management" jumps straight in with the claim that "PHP's session manager is adaptive by default", but never explains, as far as I can see, what that actually means. There's also far too many Warning and Note pop-outs on that page - the whole page is security advice, does it really make sense to colour every other paragraph pink? I think a better approach for both the manual and RFCs proposing changes is to try to summarise the key attacks users need to protect against, and how to protect against them (as well as some of the trade-offs involved). Perhaps then an additional summary at the end with the recommended combination of settings. Use bullet points, summary sentences, etc. I've probably got some details wrong here, but just as an example of the style: Session Hijacking =============== Session Hijacking is one of the simplest session-related attacks: an attacker accesses the website using another user's session. This can lead to problems such as: - The attacker impersonating a known user. - The attacker gaining access to restricted parts of a site. - The attacker accessing the user's personal details stored on the server (e.g. a "My Account" or "My Orders" page) To protect against session hijacking, you should: - Restrict the places the session ID appears. For instance, set the session manager to use HTTP-only cookies, and no URL rewriting. - Verify that the same user is accessing the session on each request. For instance, store "fingerprint" details such as User Agent and discard the session if it changes. - ... Session Fixation ============== Session Fixation is similar to Session Hijacking, but rather than discovering the user's session ID, the attacker chooses a new session ID and tricks the application into using that session ID. ... and so on ... Regards, -- Rowan Collins [IMSoP]