Hi all,
Security related changes in session module tends to take looong time
even if issue is serious security threat.
An example is adoptive session manager issue. Accepting user specified
(i.e. not generated by session manger) session ID allows attacker to
hijack session permanently, very easily.
Session manager must reject session ID that is not generated by
session manager. This was proposed PHP 4 era, around 2004 IIRC. It's
implemented for PHP 5.4 and up as 'session.use_strict_mode'. It took
about 9 years for this change.
This change was proposed by Stefan Esser originally. It was obvious to
me that the change is mandatory. I thought the change was merged
immediately after the proposal, but it wasn't. I realized it a few
years later and tried to apply the change. It took another years until
merge.
The reason why it took so long is that not many of us did not realize
consequence/threat of the old session module behavior that adoptive
session manager allows permanent session hijack easily.
("session.use_strict_mode" is not enabled by default even in PHP 7.0,
BTW. Thus, it is a serious threat still.)
I also realized time stamp based session management is mandatory years
ago. Without time stamp based management, session is too easy to
exploit. However, many of us did not realize that time stamp based
session management is mandatory, again.
https://wiki.php.net/rfc/precise_session_management
(This one is second RFC attempt)
Unfortunately, this proposal was rejected. Spending yet another years
for mandatory session management improvement is not good for us. I
would like to implement mandatory security improvements in session
module for next minor release, secure by default in mind.
The only valid discussion against time stamp based session management
would be "Users should implement/change them by themselves". However,
user space implementation is not too simple nor efficient.
Those who vote not in favor of the RFC, please let me know the reason
why. I may be missing important parts. If this is the case, I'm
willing to improve it. If not, I assume you disliked simple security
enhancement inclusions like INI default changes.
If you think time stamp based session management is not needed, please
explain rationale.
Let's discuss and finish what needs to be done.
Regards,
P.S. I'll write separate RFC for session security improvements like
INI changes and hash function removal, so please keep this thread for
time stamped session management discussion only. Please note that GC
based management and time stamp based management is very different
method.
--
Yasuo Ohgaki
yohgaki@ohgaki.net