Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96164 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2335 invoked from network); 26 Sep 2016 22:53:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Sep 2016 22:53:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:50378] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 43/25-04248-DC6A9E75 for ; Mon, 26 Sep 2016 18:53:02 -0400 Received: (qmail 101097 invoked by uid 89); 26 Sep 2016 22:52:57 -0000 Received: from unknown (HELO mail-qk0-f177.google.com) (yohgaki@ohgaki.net@209.85.220.177) by 0 with ESMTPA; 26 Sep 2016 22:52:57 -0000 Received: by mail-qk0-f177.google.com with SMTP id z190so186004587qkc.3 for ; Mon, 26 Sep 2016 15:52:55 -0700 (PDT) X-Gm-Message-State: AA6/9Rlysve7xTesqb1yVwP2+ElTaOblJst1M6YEEODyx1QkyHI0wzGGbR5XLTFmZ7DjP6AjdGyvTtW+tyjoUg== X-Received: by 10.55.54.15 with SMTP id d15mr23715195qka.262.1474930369972; Mon, 26 Sep 2016 15:52:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Mon, 26 Sep 2016 15:52:09 -0700 (PDT) In-Reply-To: References: Date: Tue, 27 Sep 2016 07:52:09 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Fixing halfway implemented session management - timestamp based session management OR remove session_regenerate_id() From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Mon, Sep 26, 2016 at 3:02 PM, Stanislav Malyshev wrote: >> Timestamp based session management is required to manage session as it >> should. I've updated the session manual pages a while a ago to explain >> why. > > Could you explain what you mean here? "As it should" is kind of broad :) > >> http://php.net/manual/en/session.security.php >> http://php.net/manual/en/function.session-regenerate-id.php > > It looks like those need some polishing. If somebody with native English > volunteers it'd be great, otherwise I'll do it a bit later. It'd be also Thank you. Please revise, but please do it after realizing underlying issues. > nice to avoid claims of "mandatory" and instead just put explanations of > what each option is doing and what is the recommended setting. Nothing > that is controlled by an option is "mandatory" by definition. Timestamp is mandatory to manage session precisely and securely. Current session management is _not_ precise/secure as it does not control session data expiration and splitted session. i.e. It does not do anything for legitimate and malicious user's session when there is hijack attack. Mandatoriness of timestamp based session management is obvious to me. If you have question, I'll try to explain why. > > I also see http://php.net/manual/en/function.session-regenerate-id.php > "warning" which I assume was added by you claims "Immediate session data > deletion disables session hijack attack detection and prevention also." > - I do not think this is accurate. Or at least it's not clear enough if > I can't properly understand what it means :) OK. I'm not sure how to improve "Immediate session data deletion disables session hijack attack detection and prevention also." If session data removed immediately, not only it causes client/network races, but also make session hijack detection impossible. BTW, current implementation does not do anything when a session is splitted into 2 sessions, i.e. legitimate and cracker session due to session hijack. Both sessions work as authentic session. session_regenerate_id() must result in only one active session eventually. > >> Although session module has over 10 years of history, session module >> lacks basic feature and is not implemented fully yet. As I mentioned >> in above manual pages, it does not have _mandatory_ timestamp based >> session management. >> >> I proposed implementation [1], but it was declined even if it is >> mandatory for session module to manage session data correctly and >> precisely. > > Obviously, other people disagree about how mandatory it is. :) So you do not think timestamp based session management is not mandatory. Then how do you accomplish securing session data? - How to prevent race conditions by network and client? - How to recover from lost sessions? (Network race condition cannot be fixed) - How to prevent race conditions in browsers? (We cannot fix browsers) - How to detect possible attacks? If there is nothing we can do, we may leave problem as it is. However, timestamp can resolve almost all issues. (My proposal attempt reconnect session only once, so it could lose session but will be rare compare to do nothing) > >> Some may think "timestamp management should be part of user task", but >> even simple basic feature like session_regenerate_id() can NOT work as >> it supposed without timestamp based management. (Other mandatory tasks >> have problems also, but I ignore them for now) > > I was under impression it already works as it supposed to, but obviously Sudden loss of session is not something user expect as a normal behavior. > you are of different opinion, so I'd like to hear details about why. If > you're talking about the case where network connection drops in the > middle of reading the new session ID, I still think it is a very exotic > and rare use case and claiming this function needs to be deleted because > it doesn't cover this case makes little sense to me. We have several bug reports for this. I personally experienced this issue with very large web service also. It's not that rare. I observed handful races per day for the application. I don't consider it rare and ignorable. > > I've been using PHP servers with session_regenerate_id() for many years > and never heard complaints about this. Of course, your user base may be > different, but I still question that we need to implement a complex > system and overhaul most of the session management to serve this rare case. This is hard to notice, but it happens for sure. For example, session ID being empty (this is client side race) had 17 votes. https://bugs.php.net/bug.php?id=68063 I fixed this by rejecting and resetting empty session ID. We have sudden session loss bug reports also. Following bug report has 8 votes. https://bugs.php.net/bug.php?id=70584 This one cannot be fixed without timestamping. (Otherwise, use very loose and insecure session management is required) Session module should do better job and it can. > >> There is userland workaround as described. User can implement their >> own session_regenerate_id() as described in the manual page. >> >> Since session management is very important feature for web apps, we >> shouldn't keep providing halfway implemented API forever. >> Implementation or removal is required. >> timestamp based (precise) session management again. > > What substantial changes do you propose to make since the previous RFC? > We can't just keep voting on the same thing until we get result that you > like, that's not how it works. I'm proposing 2 choices now. - Adopting timestamp in session - Remove features that cannot work correctly without timestamp. > >> session_regenerate_id() deprecation now and removal in future version. > > This makes no sense to me, at least without a lot of additional > explanation. Current session_regenerate_id() cannot do the optimal job for the task. i.e. It results in empty session ID (my fix is merely a workaround. The problem is still there), lost session ID, session hijack attack is undetectable/cannot prevent. These issues are fatal. IMHO. Therefore, timestamp is mandatory. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net