This is an old revision of the document!
PHP RFC: Secure Session Module Options/Internal by Default
- Version: 0.10
- Date: 2014-02-03
- Author: Yasuo Ohgaki, yohgaki@ohgaki.net
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/secure-session-options-by-default
Introduction
HTTP session management is core of Web security. Current default of session module options are weaker than it could be. Secure values by default would be better.
Proposal
Secure setting should be the default and user should selectively use weaker setting.
NEW: id_length minimum session ID length to mitigate timing attack. 26 for PHP 5.3/5.4/5.5. 52 for 5.6. This value should not exceed session ID length.
use_strict_mode=on disallow user supplied session ID and improve session ID security. Most applications work with this option.
cookie_httponly=on disallow use of session ID cookie from JavaScript. It reduces risk of stolen session ID via JavaScript injections. Most applications work with this option.
hash_function=“sha256” SHA-256 has larger bits than SHA-1/MD5. (256 bits vs 160/128 bits) More difficult to guess. i.e. Birthday attack. With stronger hash,collision is less likely.
NIST suggests not to use SHA-1 for “applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010.” Files save handler detects session ID collision (PHP 5.5 and later). Therefore it is out of NIST requirement scope for small sites, but collision detection is up to save handlers.
“sha256” could be unavailable. Session module fallback to SHA-1 silently in this case.
entropy_length=64 entropy_lengh=32 is too short for SHA-256. Default to 64.
hash_bits_per_character=6 Compiled value is 4. php.ini-development/production value is 5. Make both INI and compiled to 6. (Shorter session ID string)
Detect collision via PS_VALIDATE_FUNC() When session ID is generated, collision could be checked by PS_VALIDATE_FUNC() if it is available. Check collision in session module instead of save handler module.
Backward Incompatible Changes
session_id_length: User must change if they use their own shorter session ID.
use_script_mode=on: Do not accept user provided session ID (This is good for security)
cookie_httponly=on: JavaScript cannot access session ID cookie (This is good for security)
hash_function=“sha256”: Longer session ID string. This would not be issue for almost all (Collision is less likely. Good for security)
hash_bits_per_character=6: Shorter session ID string and more chars in Session ID string. It's 5 in php.ini-development/production. This could not be an issue for almost all apps.
Proposed PHP Version(s)
PHP 5.3/5.4/5.5 session_id_length=26
PHP 5.6 for all changes.
Impact to Existing Extensions
Session module
php.ini Defaults
- hardcoded default values
- php.ini-development values
- php.ini-production values
PHP 5.3/5.4/5.5 id_length=26
PHP 5.6 id_length=43
PHP 5.6 use_script_mode=on, cookie_httponly=on, hash_function=1, hash_bits_per_character=6, entropy_length=64 for all
Open Issues
Proposed Voting Choices
Yes/No
VOTE
VOTE is not started.
Thank you for voting!
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
- Collision probability - http://preshing.com/20110504/hash-collision-probabilities/
- NIST advises not to use SHA-1 - http://csrc.nist.gov/groups/ST/hash/policy_2006.html
Rejected Features
Keep this updated with features that were discussed on the mail lists.