Re: Solution for session_regenerate_id() issues

From: Date: Fri, 14 Mar 2014 07:41:13 +0000
Subject: Re: Solution for session_regenerate_id() issues
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
On Thu, Mar 13, 2014 at 01:03:15PM +0900, Yasuo Ohgaki wrote:
> Hi all,
> 
> Current session_regenerate_id() has issues. I'll try to explain what these
> are.
> 
> Issue 1: Old session data is not deleted.
> 
> session_regenerate_id() does not delete old session by default. It leaves
> old session available. When attacker could steal session ID via
> XSS/sniffing/etc, attacker can use session ID as valid ID as long as
> application allows. No detection/prevention of security breach is possible
> at session module level. This behavior is unacceptable for security reason.
> 
> Issue 2: Old session data cannot be deleted.
> 
> session_regenerate_id(TRUE) deletes old session data immediately. It's good
> for security, but if there are multiple connections from a client to server
> (e.g. AJAX/iframe/tabs/etc),  valid connection may fail since it could be
> using old session ID. Therefore, session_regenerate_id() does not delete
> old session data. Immediate session data deletion is unacceptable for
> reliable operation.
> 
> To solve these 2 issues, we need to delay old session data deletion. Delete
> old session data 60 seconds later, for example.
> 
> If there is any other feasible solutions are welcome. I cannot think of any.
> 
> Regards,
> 
> P.S. Even with HTTP 2.0, old session data cannot be deleted immediately.
> User may use multiple tabs.

I'm not sure if we should handle that in PHP, application usually regenerates
session on important events (i.e. on user login/logout etc.), so any requests
with old session should be denied, and this can be achieved using
session_regenerate_id(TRUE). Wouldn't it be better to write a security
note in the documentation rather than making whole thing more complex?

 Regards,
 Mateusz


Thread (24 messages)

« previous php.internals (#73142) next »