Solution for session_regenerate_id() issues
Hi all,
Current session_regenerate_id() has issues. I'll try to explain what these
are.
Issue 1: Old session data is not deleted.
session_regenerate_id() does not delete old session by default. It leaves
old session available. When attacker could steal session ID via
XSS/sniffing/etc, attacker can use session ID as valid ID as long as
application allows. No detection/prevention of security breach is possible
at session module level. This behavior is unacceptable for security reason.
Issue 2: Old session data cannot be deleted.
session_regenerate_id(TRUE) deletes old session data immediately. It's good
for security, but if there are multiple connections from a client to server
(e.g. AJAX/iframe/tabs/etc), valid connection may fail since it could be
using old session ID. Therefore, session_regenerate_id() does not delete
old session data. Immediate session data deletion is unacceptable for
reliable operation.
To solve these 2 issues, we need to delay old session data deletion. Delete
old session data 60 seconds later, for example.
If there is any other feasible solutions are welcome. I cannot think of any.
Regards,
P.S. Even with HTTP 2.0, old session data cannot be deleted immediately.
User may use multiple tabs.
--
Yasuo Ohgaki
[email protected]
Thread (24 messages)