rfc:session-create-id
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:session-create-id [2016/08/12 04:22] – Added Discussion section. yohgaki | rfc:session-create-id [2020/03/26 12:47] (current) – this RFC has been implemented long ago cmb | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Modified Date: 2016-08-10 | * Modified Date: 2016-08-10 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | Session ID is created by session internal | + | Session ID is created by session internal |
===== Proposal ===== | ===== Proposal ===== | ||
Line 101: | Line 101: | ||
function session_create_id(string $prefix) | function session_create_id(string $prefix) | ||
{ | { | ||
- | $encoded = base64_encode(ini_get(' | + | $encoded = base64_encode(random_bytes(ini_get(' |
// Use same charset as PHP | // Use same charset as PHP | ||
$sid = substr(rtrim(strtr($encoded, | $sid = substr(rtrim(strtr($encoded, | ||
Line 118: | Line 118: | ||
when session is active, connect to database and validate SID | when session is active, connect to database and validate SID | ||
try to fetch sid | try to fetch sid | ||
- | if sid is not there | + | if sid is there |
try again to generate SID few times | try again to generate SID few times | ||
if SID validation failed | if SID validation failed | ||
Line 128: | Line 128: | ||
</ | </ | ||
- | Something like above code is **required** to implement recommended user session save handlers. | + | Something like above code is **required** to implement recommended user session save handlers |
+ | |||
+ | == The default 128 bits Session ID is large enough to ignore collisions == | ||
+ | |||
+ | Brute force session ID hijack risk is described here. | ||
+ | https:// | ||
+ | |||
+ | The expected number of seconds required to guess a valid session | ||
+ | identifier is given by the equation: | ||
+ | |||
+ | (2^B+1)/ | ||
+ | |||
+ | Where: | ||
+ | |||
+ | B is the number of bits of entropy in the session identifier | ||
+ | A is the number of guesses an attacker can try each second | ||
+ | S is the number of valid session identifiers that are valid and | ||
+ | available to be guessed at any given time | ||
+ | |||
+ | It says | ||
+ | |||
+ | '' | ||
+ | |||
+ | 292 years may sound long enough. However, even though the document explicitly does not states " | ||
+ | |||
+ | Let me paraphrase OWASP' | ||
+ | |||
+ | '' | ||
+ | |||
+ | NOTE: It's about probability. Expectation is "on average" | ||
+ | |||
+ | Assumption for security should be pessimistic. OWASP makes pessimistic assumption for entropy in session ID, probably because proving " | ||
+ | |||
+ | 10M active sessions are possible even with relatively small sites because there are users who use very long session ID life time for "auto login" | ||
+ | |||
+ | In addition to above, current session management implementation does not support timestamp based session data management. i.e. https:// | ||
+ | |||
+ | Somebody wins lottery. Even 1 in millions/ | ||
+ | |||
+ | If there are users who really do not want collision detection at all, they should do it by their own responsibility and risk. e.g. | ||
+ | |||
+ | <code php> | ||
+ | if (session_status() == PHP_SESSION_ACTIVE) { | ||
+ | session_commit(); | ||
+ | } | ||
+ | ini_set(' | ||
+ | // NIST requires SHA2 or better hash for collision sensitive usage. | ||
+ | $new_sid = hash(' | ||
+ | session_id($new_sid); | ||
+ | session_start() | ||
+ | </ | ||
Line 143: | Line 193: | ||
This project requires a 2/3 majority | This project requires a 2/3 majority | ||
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 157: | Line 207: | ||
After the project is implemented, | After the project is implemented, | ||
- the version(s) it was merged to | - the version(s) it was merged to | ||
+ | - PHP 7.1 and master (Merged to 7.1 also by RM permission) | ||
- a link to the git commit(s) | - a link to the git commit(s) | ||
+ | - http:// | ||
- a link to the PHP manual entry for the feature | - a link to the PHP manual entry for the feature | ||
+ | - http:// | ||
===== References ===== | ===== References ===== |
rfc/session-create-id.1470975756.txt.gz · Last modified: 2017/09/22 13:28 (external edit)