On Sat, Mar 15, 2014 at 08:46:29AM +0900, Yasuo Ohgaki wrote:
> Application means client side application?
>
> Suppose you have gallery application that only shows user's photo. Every
> request
> for photo should use authenticated session. If session_regenerate_id(TRUE)
> is called
> during page rendering, what happens?
By application I meant client side application. I don't believe that
periodically regenerating session introduces better security. Regarding the
case you provide, if session_regenerate_id(TRUE) is used in the page which
contains photos, then all requests for images will contain new session
cookie. (If browser requests for photos, then body of the document was
received, thus also headers with new cookie was received). If
session_regenerate_id() is used elsewhere, then I think that it's not our
problem. However, we should update our documentation to note the problem.
BTW,
https://bugs.php.net/search.php?cmd=display&search_for=session_regenerate_id
- it seems that users also don't see this issue as a problem.
> Of course attacker may, but
>
> If session is hijacked,
> - User could know attack if session ID is regenerated by attacker.
> - Attacker could know there is hijack protection if session ID is
> regenerated by user.
>
> This is much better than current. Risk is mitigated rather than left open.
> BTW, almost all security measures are mitigation.
>
I don't see how risk is mitigated in that case. User will lose session (if it
was regenerated by attacker) which probably result in logout, I don't believe
that typical user will be alarmed. As a result we'll get an attacker and user
using distinct sessions - how many applications already deny using two
distinct sessions for one account?
Regards,
Mateusz Kocielski