Re: Solution for session_regenerate_id() issues

From:	Yasuo Ohgaki	Date:	Fri, 14 Mar 2014 03:10:10 +0000
Subject:	Re: Solution for session_regenerate_id() issues
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

Before I start working on revised session module improvement patch, I would
like to address session_regenerate_id() issue.

On Thu, Mar 13, 2014 at 1:03 PM, Yasuo Ohgaki <[email protected]> wrote:

> Current session_regenerate_id() has issues. I'll try to explain what these
> are.
>
> Issue 1: Old session data is not deleted.
>
> session_regenerate_id() does not delete old session by default. It leaves
> old session available. When attacker could steal session ID via
> XSS/sniffing/etc, attacker can use session ID as valid ID as long as
> application allows. No detection/prevention of security breach is possible
> at session module level. This behavior is unacceptable for security reason.
>
> Issue 2: Old session data cannot be deleted.
>
> session_regenerate_id(TRUE) deletes old session data immediately. It's
> good for security, but if there are multiple connections from a client to
> server (e.g. AJAX/iframe/tabs/etc),  valid connection may fail since it
> could be using old session ID. Therefore, session_regenerate_id() does not
> delete old session data. Immediate session data deletion is unacceptable
> for reliable operation.
>
> To solve these 2 issues, we need to delay old session data deletion.
> Delete old session data 60 seconds later, for example.
>
> If there is any other feasible solutions are welcome. I cannot think of
> any.
>

Current behavior (leaving active session that attackers may be abusing) is
far from optimal. I can only think of delayed deletion as the solution for
this.

Delayed session deletion implementation has 2 options. (Introducing
separate API has severe overheads. Thus, it's not an option)
 - set and check time stamp in $_SESSION. (Keep save handler/serializer
compatibility)
 - set and check time stamp in raw session data. (Need save
handler/serializer modification)

This is "must be fixed" design problem for new release. IMHO.
I don't mind which new release, but this should be fixed someday.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (24 messages)

• Yasuo OhgakiThu, 13 Mar 2014 04:03:15 +0000
  • Yasuo OhgakiFri, 14 Mar 2014 03:10:10 +0000Re: Solution for session_regenerate_id() issues
  • Mateusz KocielskiFri, 14 Mar 2014 07:41:13 +0000
    • Yasuo OhgakiFri, 14 Mar 2014 09:37:35 +0000
      • Chris WrightFri, 14 Mar 2014 10:37:04 +0000
        • Yasuo OhgakiFri, 14 Mar 2014 10:57:40 +0000
      • Mateusz KocielskiFri, 14 Mar 2014 11:03:26 +0000
        • Yasuo OhgakiFri, 14 Mar 2014 23:46:29 +0000
          • Mateusz KocielskiSun, 16 Mar 2014 08:53:39 +0000
            • Yasuo OhgakiMon, 17 Mar 2014 02:15:39 +0000
              • Yasuo OhgakiMon, 17 Mar 2014 02:22:34 +0000
  • Yasuo OhgakiWed, 19 Mar 2014 03:27:44 +0000Re: Solution for session_regenerate_id() issues
• Andrey AndreevMon, 17 Mar 2014 11:00:34 +0000Re: Solution for session_regenerate_id() issues
  • Yasuo OhgakiMon, 17 Mar 2014 11:47:08 +0000
    • Andrey AndreevMon, 17 Mar 2014 12:02:24 +0000
      • Yasuo OhgakiMon, 17 Mar 2014 20:03:44 +0000
        • Andrey AndreevMon, 17 Mar 2014 21:01:12 +0000
          • Yasuo OhgakiMon, 17 Mar 2014 23:07:21 +0000
            • Andrey AndreevTue, 18 Mar 2014 10:23:41 +0000
              • Yasuo OhgakiWed, 19 Mar 2014 02:10:25 +0000
            • Ferenc KovacsWed, 19 Mar 2014 10:12:19 +0000
              • Yasuo OhgakiWed, 19 Mar 2014 10:28:32 +0000
              • Andrey AndreevWed, 19 Mar 2014 15:22:07 +0000
                • Yasuo OhgakiWed, 19 Mar 2014 18:17:48 +0000