Re: Solution for session_regenerate_id() issues
Hi all,
On Thu, Mar 13, 2014 at 1:03 PM, Yasuo Ohgaki <[email protected]> wrote:
> Current session_regenerate_id() has issues. I'll try to explain what
> these are.
>
> Issue 1: Old session data is not deleted.
>
> session_regenerate_id() does not delete old session by default. It leaves
> old session available. When attacker could steal session ID via
> XSS/sniffing/etc, attacker can use session ID as valid ID as long as
> application allows. No detection/prevention of security breach is possible
> at session module level. This behavior is unacceptable for security reason.
>
> Issue 2: Old session data cannot be deleted.
>
> session_regenerate_id(TRUE) deletes old session data immediately. It's
> good for security, but if there are multiple connections from a client to
> server (e.g. AJAX/iframe/tabs/etc), valid connection may fail since it
> could be using old session ID. Therefore, session_regenerate_id() does
> not delete old session data. Immediate session data deletion is
> unacceptable for reliable operation.
>
> To solve these 2 issues, we need to delay old session data deletion.
> Delete old session data 60 seconds later, for example.
>
> If there is any other feasible solutions are welcome. I cannot think of
> any.
>
I've update old RFC related to this.
https://wiki.php.net/rfc/session_regenerate_id
I hope I've explained well enough why delayed deletion is needed.
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (24 messages)