Re: [RFC] [Discussion] Secure session_regenerate_id()
Hi Mateusz,
On Wed, Mar 19, 2014 at 5:02 PM, Mateusz Kocielski <[email protected]>wrote:
> [...]
> Errors may be raised for either legitimate user or attacker. If error is
> raised for legitimate user, legitimate user could know they are under
> attack.
> (Possibly network is dangerous or app has vulnerability) If error is raised
> for attacker, attacker could know they might be caught by illegal access.
> [...]
>
> I wonder how many legitimate users will realize they're under attack. For
> average user it will look like application does weird things (i.e. logout
> immediately). If network is dangerous or app has vulnerability then we
> cannot
> fix the problem - you can't make n-th layer secure if (n-1)-th layer is
> insecure.
>
It depends on how developer treats possible attack. Session manager raises
exception only. Developer may ignore or give detailed information about the
risk in their page.
My proposal does not alert victims/attackers automatically, but only give
tools for developers.
How to use tools is up to developers.
[...]
> Stealing session ID is easy regardless of HTTPS. Attacker can set up fake
> router by ARP spoofing. Most networks do not have ARP spoofing prevention,
> even detection. For HTTP, attacker can view session ID simply. For HTTPS,
> attacker can set up transparent HTTPS stripping proxy and steal session ID.
> Most users do not care much if they are connecting via HTTPS or not.
> [...]
>
> What if application uses secure attribute on session cookie? We've got
> already
> session.cookie_secure setting which seems to solve the issue. I don't see
> how
> by introducing your proposal will make situation better. If application
> allows
> login and operates as user without HTTPS, then it's not our problem.
>
Secure attribute does not matter if attacker is stripping HTTPS.
I'm having hard time to explain why "detection" is better for security.
Surveillance camera does not "prevent" crime, but "identify" who did.
Surveillance cameras are good for security.
BTW, almost all security measures are "mitigation".
Security measure does not have to "remove risk", but mitigates risk like
HTTPS.
Do you agree that HTTPS is security measure, right?
[...]
> Problem of immediate old session deletion:
>
> Make session ID regeneration unreliable. (Unacceptable)
> [...]
>
> I haven't found single issue in
> bugs.php.net that session_regenerate_id(TRUE) is a problem to any user.
>
Of course, there aren't. session_regenerate_id(FALSE) is the default now and
random logout by race condition is hard to be noticed by developers.
>
> [...]
> Remove alarm for possible attacks. (No detection = Insecure)
> Make sure old session is deleted certain period and Raise
> error/exception for invalid access provides much better security than
> current way or immediate deletion.
> [...]
>
> What you mean by "No detection = Insecure"?
>
I think I've answered this in previous comment.
Thank you for asking question.
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (23 messages)