rfc:session_regenerate_id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session_regenerate_id [2014/03/19 10:34]
yohgaki
rfc:session_regenerate_id [2017/09/22 13:28] (current)
Line 1: Line 1:
  
-====== PHP RFC: Make session_regenerate_id() ​more secure ​====== +====== PHP RFC: Make session_regenerate_id() ​reliable ​====== 
-  * Version: ​0.91+  * Version: ​1.0
   * Date Created: 2013-10-30   * Date Created: 2013-10-30
-  * Date Updatead: ​2014-03-19+  * Date Updatead: ​2015-03-20
   * Author: Yasuo Ohgaki <​yohgaki@php.net>​   * Author: Yasuo Ohgaki <​yohgaki@php.net>​
   * Status: Under Discussion   * Status: Under Discussion
   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id
 +  * Renamed: https://​wiki.php.net/​rfc/​precise_session_management
  
 ===== Introduction ===== ===== Introduction =====
 +
 +**This RFC is renamed**. Refer to the latest
 +
 +https://​wiki.php.net/​rfc/​precise_session_management
 +
 +
  
 Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior. Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior.
Line 38: Line 45:
  
  
-===== Risk of stolen session ​=====+==== Risk of stolen session ====
  
 Stealing session ID is easy regardless of HTTPS. Attacker can set up fake router by ARP spoofing. Most networks do not have ARP spoofing prevention, even detection. For HTTP, attacker can view session ID simply. For HTTPS, attacker can set up transparent HTTPS stripping proxy and steal session ID. Most users do not care much if they are connecting via HTTPS or not. Stealing session ID is easy regardless of HTTPS. Attacker can set up fake router by ARP spoofing. Most networks do not have ARP spoofing prevention, even detection. For HTTP, attacker can view session ID simply. For HTTPS, attacker can set up transparent HTTPS stripping proxy and steal session ID. Most users do not care much if they are connecting via HTTPS or not.
Line 45: Line 52:
  
 If you are curious, search [[https://​www.youtube.com/​results?​search_query=arp%20spoofing%20tutorial&​sm=3|YouTube]] or net. If you are curious, search [[https://​www.youtube.com/​results?​search_query=arp%20spoofing%20tutorial&​sm=3|YouTube]] or net.
 +
 +==== This is known design issue for a long time ====
 +
 +Even if there is only recent bug report for this, this bug is known more than 10 years since when session_regenerate_id() is introduced.
 +
 +https://​bugs.php.net/​bug.php?​id=69127
 +
 +
  
 ===== Proposal ===== ===== Proposal =====
  
-==== Add __SESSION_REGENERATE_ID_EXPIRE__ time stamp ====+==== Add transparent __SESSION_DESTROY_TTL__ timestamp ​==== 
 + 
 +**Add '​session_destory_ttl'​ INI directive**(INI_ALL,​ default 300 seconds) and **"​make sure old session is deleted certain period"​**.
  
-**"​Make sure old session is deleted certain period"​** ​can be achieved by time stamp in session data. When session_regenerate_id() called, session manager sets+This can be achieved by time stamp in session data. When session_regenerate_id()/​session_destroy() is called ​without parameter, session manager sets
  
 <code php> <code php>
-  $_SESSION['​__SESSION_REGENERATE_ID_EXPIRE__'] = time() + ini_get('​session.regenerate_id_expire'​);​+  $_SESSION['​__SESSION_DESTORY_TTL__'] = time() + ini_get('​session.regenerate_id_expire'​);​
 </​code>​ </​code>​
  
-for old session data.+for old session data. This is pseudocode. User will never see $_SESSION['​__SESSION_DESTORY_TTL__'​] as it is removed/​added upon session data serialization internally in session module
  
 +$_SESSION['<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>'​] also stores new session ID when TTL is set by session_regenerate_id(). ​
  
-**"​Raise error/​exception for invalid access"​** can be done when session manager initializes session, check above value. If expired session is accessed, session manager raises "​**SessionRegenerateIdExpireException**"​.+   ​integer_string_timestamp\0string_session_id
  
 +If browser accesses to be deleted session (old session), session module uses new session ID rather than old and try to set correct new ID. i.e. Send new session ID cookie to browser. This prevents lost session under unstable network.
  
-NOTE: Since new session_start() accepts any INI values as optionprogrammers may change INI value by session_start() as follows.+If session module finds $_SESSION['<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>'​] and timestamp is olddelete old session data and create new session with new session ID. E_WARNING error is raised for this because it means either too short TTL or user is under attack.
  
-<code php> +When session_regenerate_id(true)/session_destroy(true) is called, session module destroy session data immediately.
-  session_start(['​regenerate_id_expire'​=>​300])+
-</code>+
  
-Actual deletion of old session ​is left for GC. Precise deletion of expired session data will be address by other RFC.+Users may add $_SESSION['<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>'​]. When this is happen, ​session ​module raise E_WARNING ​for this.
  
-There may developers dislike values in $_SESSION. However, this is convenient for developers to test their applications. 
  
-  * Test program may set $_SESSION['​___SESSION_REGENERATE_ID_EXPIRE___'​] as it requires ​and test application.+=== Why TTL default is 300 seconds ​and configurable ===
  
-===== Backward Incompatible Changes =====+Session data may be lost when network connection is unstable. For example, when user ender elevator or subway connection can be lost in a way that session data is lost. 300 seconds would be enough for most elevators. However, it may not be enough for subways. PHP developer may require longer TTL for better stability.
  
-  * If user script has __SESSION_REGENERATE_ID_EXPIRE__ key in $_SESSION, it may break application. +Some PHP developers ​may want to be more strict and need shorter TTL even if it could result in lost session on occasionsThey may set 30 seconds TTL 
-  * Raised exception ​may break application. +which would be long enough for stable connection in most cases.
-  * Test programs could be affected.+
  
 +=== Why this is secure than now ===
  
-===== Proposed PHP Version(s=====+Currently, users must call session_regenerate_id() without destroy flag to have stable session. Therefore, old session data is valid as long as it is accessed even if it should be discarded as invalid session. Attackers can take advantage of this behavior to keep stolen session forever.
  
-PHP 5.X++===== Backward Incompatible Changes =====
  
 +  * If user script has <​nowiki>​__SESSION_DESTROY_TTL__</​nowiki>​ key in $_SESSION, it may break application.
 +  * Raised error may break application.
 +
 +===== Proposed PHP Version(s) =====
 +
 +PHP 7.0
  
 ===== SAPIs Impacted ===== ===== SAPIs Impacted =====
Line 105: Line 127:
   * php.ini-production values   * php.ini-production values
  
-  * "​session.regenerate_id_expire ​60" for all. (60 seconds) +  * "​session.destroy_ttl ​300" for all. (300 seconds, INI_ALL)
  
 ===== Open Issues ===== ===== Open Issues =====
Line 121: Line 142:
  
  
-===== Proposed Voting Choices ​=====+===== Vote =====
  
-  * Add __SESSION_REGENERATE_ID_EXPIRE__ ​time stamp Yes/No+  * Add <​nowiki>​__SESSION_DESTORY_TTL__</​nowiki> ​time stamp Yes/No
  
  
Line 133: Line 154:
  
   * http://​us3.php.net/​session_regenerate_id   * http://​us3.php.net/​session_regenerate_id
 +  * https://​bugs.php.net/​bug.php?​id=69127 (Bug report)
 +  * https://​wiki.php.net/​rfc/​session-lock-ini#​proposal_4_-_lazy_destroy (Previous attempt)
  
 ===== ChangeLog ===== ===== ChangeLog =====
  
 +  * 2015/03/21 - Added new session ID handling.
 +  * 2015/03/20 - Change INI directive name.
 +  * 2014/03/19 - Add exception option as Stas suggested.
   * 2014/03/18 - Change RFC to propose time stamping.   * 2014/03/18 - Change RFC to propose time stamping.
   * 2013/10/30 - Added details and message option.   * 2013/10/30 - Added details and message option.
   * 2013/10/29 - Created RFC   * 2013/10/29 - Created RFC
rfc/session_regenerate_id.1395225294.txt.gz · Last modified: 2017/09/22 13:28 (external edit)