Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96163 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 769 invoked from network); 26 Sep 2016 22:46:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Sep 2016 22:46:40 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.45 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.218.45 mail-oi0-f45.google.com Received: from [209.85.218.45] ([209.85.218.45:36314] helo=mail-oi0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FD/C4-04248-E45A9E75 for ; Mon, 26 Sep 2016 18:46:39 -0400 Received: by mail-oi0-f45.google.com with SMTP id t83so225090928oie.3 for ; Mon, 26 Sep 2016 15:46:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=8jlyRVepoDoCnQmYuiD6U7Nc4HkK5OOCjG55vuq0Dzo=; b=r/i7VtLHDTB9dxsviLccEsQwNReoFzdu5BOnCjhjI6tFlBOY+put4Y9byPxeVX6pE0 sZeKYAyGnbwQ2pBmDFfhzk9B0tnuhn2tBDCYWGhBlEKwpUbaXn7BS7M8g9LpdUVWW2fO vhRh/4IDpTXC6vYAVPwflEQOxEhzP8fJEN3SrOhg540NfwGr25F4Kv2KOz2Hq+7yUCI+ lBdwzUMw8RD5T/qD+UYOCLyF8j7eotBFiMHCCSo4SZC1mo1oJUgHP+7lg69qijvaLdT5 pryOHr3fkqC5yGSD+AMdNyxZRm1g7RPcJQYG4yqMp3odYpdqfHUe9x/macCWHLuTENcn xEew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=8jlyRVepoDoCnQmYuiD6U7Nc4HkK5OOCjG55vuq0Dzo=; b=aWdBxf4oZlU9FDtPlY3hPtn4mN3pEh9FJ1hJYYSMx3hXJcPWfYAQWCRmsvSl27gXpi oPc/U9W+uBlrcLmlZggZS92adG/si/Mw8S0NilCVhnrZm5/LWotoh/zW/BburI+1Umkg C0aBpRO6HK2rYV0MZXX92cX9xfmIagdCJPtgDd7KmwPh0U79zw1mfC6/AN6F2QDL2vQ2 zzgSWTilACT4ND5JZk6gM9A9iaQPH6g79F8EEL5rroeB9Nmpn00HeOcXiBvyC5YqH01l JNMz8aTgdwJd9Dkk5lXTH0RZ5KTdfAHTrznNy1pQjQ3s+NBr+K1lp0sQ454U+eBRWVKG 9l2Q== X-Gm-Message-State: AE9vXwNFNf/MAKEg/1+kUkj+QfMejjwGPvv/RKaJwk/33p9m2PLOFqVUP3kO9X2X2ZS1QQ== X-Received: by 10.202.86.66 with SMTP id k63mr29985651oib.69.1474929995445; Mon, 26 Sep 2016 15:46:35 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id r106sm81681ota.25.2016.09.26.15.46.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Sep 2016 15:46:34 -0700 (PDT) To: Yasuo Ohgaki References: <36d925dc-f5a4-b6fb-1060-decf2c7f5271@gmail.com> Cc: "internals@lists.php.net" Message-ID: <950524ee-645a-e3ff-a034-16a2cdf74677@gmail.com> Date: Mon, 26 Sep 2016 15:46:33 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Fixing halfway implemented session management - timestamp based session management OR remove session_regenerate_id() From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Because current session module cannot distinguish if session ID come > from outside, i.e. session cookie/trans sid, or script. This could be > improved, but user should control session.use_strice_mode currently. I think quite the opposite - user's shouldn't change stict_mode settings in runtime. > I realized that accessible magic values in $_SESSION were unpopular > from discussions. I proposed minimum change also and It was declined. I know the RFC was declined, but RFC was huge and changed a lot of things. I propose a very small and limited change on which we can build incrementally. > Differences are, it hides timestamp from $_SESSION, timestamp is only > viewable via API. I don't think we need to hide things, really. Why hide it? > Unprecise > - Cannot make sure obsolete session removal. > - Accessibility to obsolete session is controlled by GC. (Attackers > can keep it alive by simply accessing it) Since that session is marked as deleted, you can easily reject it. So it doesn't matter if it's kept alive or not. > Unsecure > - No way to detect possible session hijack. (My last proposal omit > raising error because people seem to care about BC too much rather > than security. Adding error/exception is matter of few lines) I think you are confusing here "insecure" (allows privilege escalation, unauthorized access, etc.) and "does not allow detection for particular attack". I'm not sure what this does with session hijack at all - if somebody hijacked your session, how would you detect it with session_regenerate_id()? I don't think this function has anything to do with attack detection, and in general attack detection is not what session mechanism is really for. If somebody got hold of your authenticated session ID, it's pretty much game over for you, unless you have protections like IP-control, etc. which are beyond the scope of current discussion. I think one of the reasons the previous RFC failed is that you tried to do a lot of different and very tangentially related things at once. Let's not do that again. > Timestamp based management is mandatory for precise/secure session management. You keep repeating this but just repeating this doesn't add much to the discussion. I think everybody is aware of your opinion by now, and simply repeating it again and again does not add much. Let's proceed to more specific arguments. -- Stas Malyshev smalyshev@gmail.com