Morning Yasuo,

    First, thanks for all the effort ... You already know that, a refusal
to merge a patch doesn't mean you wasted your time, it should serve to
refocus your research.

    So, I thought I'd say some stuff, to aid with that ...

    The first thing I would do is break down the problem into smaller, much
smaller, RFC's: We know there are many inconsistencies in the language, we
could write a huge long list, and do a bumper RFC to solve them all at
once. But would that be a good idea !?

    As already mentioned it's much easier to consider each problem on it's
own, and the solution for that problem on it's own, than it is to consider
what we are going to do about this huge mess. Try to remember that while
you have had your head buried in this stuff for a long time, the rest of us
likely haven't.

    I don't really like to talk about security, it's not a thing I feel
qualified to talk about ... but, there is inconsistency in saying "we
should have a secure by default session module", and then introducing ini
settings that can vary the effectiveness of the solution, based on guesses
about the length, and speed at which elevators travel ...

    Having another setting which seems to be 18 times longer than the
recommended value for "low security applications" is also extremely odd to
me ...

    That you can't find sensible defaults for these values, says to me that
these problems don't have solutions in our domain; Application security is
a problem that can only be solved by the programmer using PHP.

    We should provide the tools, we should not lie about the validity of a
session because of faults in our design, every layer we provide should be
consistent, but the problem still belongs to the programmer using PHP.

Cheers
Joe


On Thu, Mar 24, 2016 at 4:18 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:

> Hi all,
>
> On Thu, Mar 24, 2016 at 11:34 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> > We have to come up with other solutions for
> >
> >  - Session loss by race conditions
> >  - Method to make session abuse harder
>
> I'll explain how attacker can steal PHP sessions forever with current
> session module. There are multiple serious issues in current session
> management. I suppose this makes difficult to understand what wrong
> with current session. Any stolen session is not acceptable, but I'll
> focus cases only that allows session abuse forever to make discussion
> simpler.
>
> ** Exploit 1 ** Attack adoptive session management
> Internet RFC does not define cookie precedence for multiple
> outstanding cookies. Therefore, when multiple cookies for "httponly",
> "secure", web site domain names, web app path are set, it's up to
> browser implementation which cookie is sent to browser. Attacker can
> set undeletable cookie by using this behavior. i.e. Simple Set-cookie
> cannot delete nor update session ID cookie, but attacker's session ID
> stay as outstanding session ID cookie forever.
>
> If you experiment how browsers behave, you'll be surprised how easy to
> set undeletable cookie by single XSS. You'll be surprised how some
> browsers manage cookie by insane way also.
>
> Requirement
>  "session.use_strict_mode=0". This is the default
>
> Note
>  "session.use_strict_mode=1" can mitigate issue a little, but remained
> risk is not acceptable. Attacker may use next attack method explained
> to keep active session (to avoid GC). "session.use_strict_mode=1"
> creates client side race condition also. This results in lost sessions
> on occasion.
>
> ** Exploit 2 ** Attack static session ID
> Stealing active session is easy especially when physical access to
> device is possible. It's just a matter of displaying cookies for a
> website and take picture, then abuse.
>
> When https is not used, stealing active session ID is trivial by ARP
> spoofing, evil twins, etc. Even if https is used, setting up https
> stripping proxy is trivial and HSTS is not used widely.
>
> Attackers can keep active session forever by accessing stolen session
> periodically before GC.
>
> Requirement
>  Application that does not call session_regenerate_id() after login
> and has no expiration period for active sessions.
>
>
> In addition, PHP does not have any attack detection for these attacks
> while precise session management proposal does.
>
> Inclusion, if I were attacker, I would say attacking PHP session is
> easy and safe (undetectable) by poor session management.
>
> Let's discuss how we are going to address these issues and fix them.
> My opinion is "PHP's session manager must be safe against these
> attacks by default/out of the box. Users should not have to write code
> and manage basic session status".
>
> Those who were vote against the proposal, please let me know which
> part of my RFC is not good enough at least, better proposal is
> appreciated of course.
>
> Thank you.
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Reply via email to