Ferenc, I can login to wiki, but cannot write to the page.
https://wiki.php.net/rfc/strict_sessions Could you update the page with attached file? Thank you. -- Yasuo Ohgaki
====== Request for Comments: Strict Sessions ====== * Version: 0.1 * Date: 2011-11-23 * Author: Yasuo Ohgaki <yohg...@ohgaki.net> * Status: Draft * First Published at: https://wiki.php.net/rfc/strict_sessions ===== Introduction ===== https://gist.github.com/1379668 This patch adds - validate_sid() to ps_modules (Save handlers) - use_strict_session to php.ini (On by default, off for old behavior) - display that save handler supports strict session or not via phpinfo() (So that user could know behavior) - update PHP_SESSION_API version (So that save handler authors could write portable code) Compatibility issues are - save handlers that are currently working should also work with this patch, except ps modules using PS_MOD_SID and PS_MOD_FUNCS_SID macro. These ps modules should implement validate_sid(). Modules that are using PS_MOD/PS_FUNCS are not affected, they just marked as "adaptive" module. (e.g. pecl sqlite's ps module. You can see it via phpinfo()) NOTE: PS_MOD_SID() and PS_MOD_FUNCS_SID() are already defined, but it was the same as PS_MOD()/PS_MOD_FUNCS(). If old ps_module does not compile, just remove "_SID" from PS_MOD_SID()/PS_MOD_FUNCS_SID(). - session ID string is checked so that chars are alphanumeric + ',' '-' when use_strict_session=On. (mod_file.c checks session ID this way w/o this patch to prevent problems. Using restrictive session ID string is better for other ps modules. IMHO) - session read failure is not rescued to eliminate possible infinite loops. Bundled ps modules were not using this at least. You will see some tests are failing since they depend on adaptive session. By looking into failing test results, you can see this patch is generating new session ID if it's not a already initialized session. I'll modify these tests (set use_strict_session=Off) and add some tests for new feature (new validate_sid() function for user and use_class save handler) after commit. It removes session read failure retry code from php_session_initialize() . The retry code may cause infinite loop depending on save handler implementation. Some session save handlers may be using this to prevent adoption(?), but they should implement validate_sid() to prevent adoption from now on. With new code, there will never be infinite loops. Currently bundled save handlers are not using this feature. If there is no objection, I'll commit it to trunk. ===== Background ===== Session is one of the most important feature to secure Web applications. However, current PHP session module is weak to session ID adoption, thus it is weak to session fixation. ==== Current Solution ==== Programmer can make adoptive session with user land code as follows. Login code fragment: Code that adds session ID as validation key. session_destory(); session_regenerate_id(); $_SESSION['vaild_id'] = session_id(); Validation code: Code other than login. Check if session is properly initilized. if ($_SESSION['valid_id'] !== session_id()) { die('Invalid use of session ID'); } Alternatively, programmers may try to delete all possible cookies by sending empty session ID cookie. ==== Reason why the validation key is required ==== Cookie that is used for session allows multiple cookies for a single request. When multiple cookies are set, browsers send multiple cookie header WITHOUT domain and path information. Browser just send cookie header and there is no way to know which cookie is for which domain or path. In addtion, there are no standards for sending multiple cookie. For example, IE has different order preference for sending cookies than Chrome/Firefox. This behavior prevents use of session_regenerat_id()'s new cookie in some cases. PHP may use invalid session ID to initialize session. Session ID can be fixed (i.e. session fixation) without the validation code. Session fixation can be used to take over session and compromise Web application security. ===== Solution with this patch ===== This patch adds validate_id() function to ps_modules (session save handler) that can check if the session ID is already initialized one or not. Bundled ps_modules are now have validate function and will never accept uninitialized session ID regardless cookie based or URL rewriter. It is still possible users may write improper save handler, but it is user's responsibility that writes proper save handler that prevents session adoption. ==== Compatibility ==== At user land, there will be no compatibility issues by disabling session.use_strict_mode. (i.e. session.use_strict_mode=0) There may be compatibility problem For internal session modules, if and only if it uses PS_MOD_SID()/PS_MOD_FUNCS_SID() for ps_module definition. Module writers may use PHP_SESSION_API version id to write portable ps_modules. ===== Related Discussions ===== http://www.mail-archive.com/internals@lists.php.net/msg54147.html ===== Changelog ===== 2011-11-23 - 0.1 - just dumping the info from the original mail
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
