rfc:session-create-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session-create-id [2016/08/14 21:06]
yohgaki Fixed example code bug :(
rfc:session-create-id [2020/03/26 12:47] (current)
cmb this RFC has been implemented long ago
Line 4: Line 4:
   * Modified Date: 2016-08-10   * Modified Date: 2016-08-10
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Voting+  * Status: Implemented (PHP 7.1)
   * First Published at: http://wiki.php.net/rfc/session-create-id   * First Published at: http://wiki.php.net/rfc/session-create-id
  
 ===== Introduction ===== ===== Introduction =====
-Session ID is created by session internal bin_to_reabable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.+Session ID is created by session internal bin_to_readable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.
  
 ===== Proposal ===== ===== Proposal =====
Line 118: Line 118:
     when session is active, connect to database and validate SID     when session is active, connect to database and validate SID
       try to fetch sid       try to fetch sid
-        if sid is not there+        if sid is there
           try again to generate SID few times           try again to generate SID few times
       if SID validation failed       if SID validation failed
Line 128: Line 128:
 </code> </code>
  
-Something like above code is **required** to implement recommended user session save handlers. +Something like above code is **required** to implement recommended user session save handlers currently 
 + 
 +== The default 128 bits Session ID is large enough to ignore collisions == 
 + 
 +Brute force session ID hijack risk is described here. 
 +https://www.owasp.org/index.php/Insufficient_Session-ID_Length 
 + 
 +  The expected number of seconds required to guess a valid session 
 +  identifier is given by the equation: 
 +   
 +  (2^B+1)/(2*A*S) 
 +   
 +  Where: 
 +   
 +  B is the number of bits of entropy in the session identifier 
 +  A is the number of guesses an attacker can try each second 
 +  S is the number of valid session identifiers that are valid and 
 +  available to be guessed at any given time 
 + 
 +It says 
 + 
 +''Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.'' 
 + 
 +292 years may sound long enough. However, even though the document explicitly does not states "Session manager must validate session ID for possible collisions", but it is clear it assumes session manager that validates session ID. 
 + 
 +Let me paraphrase OWASP's document to show why. 
 + 
 +''Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, legitimate users might create 10,000 new session ID per second (New and regenerated session) with 10,000,000 valid session identifiers available to be collided. Given these assumptions, the expected time of web system to successfully has collided identifier is greater than 2 years on average.'' 
 + 
 +NOTE: It's about probability. Expectation is "on average" and could be much shorter. 
 + 
 +Assumption for security should be pessimistic. OWASP makes pessimistic assumption for entropy in session ID, probably because proving "CSPRNG generates good quality of random bytes" is difficult. 
 + 
 +10M active sessions are possible even with relatively small sites because there are users who use very long session ID life time for "auto login". (This is not a recommended auto login implementation, though) 10K new session ID per second is possible for relatively small sites also because OWASP recommends session ID regeneration for every 15 minutes or less for certain usage. 
 + 
 +In addition to above, current session management implementation does not support timestamp based session data management. i.e. https://wiki.php.net/rfc/precise_session_management This makes situation even worse. 
 + 
 +Somebody wins lottery. Even 1 in millions/hundreds years could happen. IMHO, it is not reasonable to argue "Session ID collision very rare and cannot happen" or "Session ID is safe without collision detection, can ignore collisions", and tell poor user "We do know it may happen, but you just had rare bad luck. Even though protection could be implemented, whatever consequences are your responsibility. It's the PHP way"
 + 
 +If there are users who really do not want collision detection at all, they should do it by their own responsibility and risk. e.g. 
 + 
 +<code php> 
 +if (session_status() == PHP_SESSION_ACTIVE) { 
 +  session_commit(); 
 +
 +ini_set('session.use_strict_mode', 0); 
 +// NIST requires SHA2 or better hash for collision sensitive usage. 
 +$new_sid = hash('sha512', random_bytes(128)); 
 +session_id($new_sid); 
 +session_start() 
 +</code>
  
  
Line 143: Line 193:
 This project requires a 2/3 majority This project requires a 2/3 majority
  
-<doodle title="Add session_create_id() frunction" auth="Yasuo Ohgaki" voteType="single" closed="false">+<doodle title="Add session_create_id() frunction" auth="Yasuo Ohgaki" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
Line 157: Line 207:
 After the project is implemented, this section should contain  After the project is implemented, this section should contain 
   - the version(s) it was merged to   - the version(s) it was merged to
 +    - PHP 7.1 and master (Merged to 7.1 also by RM permission)
   - a link to the git commit(s)   - a link to the git commit(s)
 +    - http://git.php.net/?p=php-src.git;a=commitdiff;h=7ee9f81c54ca888beae1c6aaeaccee1260012076
   - a link to the PHP manual entry for the feature   - a link to the PHP manual entry for the feature
 +    -  http://svn.php.net/viewvc?view=revision&revision=339956
  
 ===== References ===== ===== References =====
rfc/session-create-id.1471208805.txt.gz · Last modified: 2017/09/22 13:28 (external edit)