On 26/09/2016 07:02, Stanislav Malyshev wrote:
http://php.net/manual/en/session.security.php
>http://php.net/manual/en/function.session-regenerate-id.php
It looks like those need some polishing. If somebody with native English
volunteers it'd be great, otherwise I'll do it a bit later.
I was about to make the same comment. I'm sure there are some very
important points in here, but it's quite hard to follow. For instance,
the section "Non-Adaptive Session Management" jumps straight in with the
claim that "PHP's session manager is adaptive by default", but never
explains, as far as I can see, what that actually means. There's also
far too many Warning and Note pop-outs on that page - the whole page is
security advice, does it really make sense to colour every other
paragraph pink?
I think a better approach for both the manual and RFCs proposing changes
is to try to summarise the key attacks users need to protect against,
and how to protect against them (as well as some of the trade-offs
involved). Perhaps then an additional summary at the end with the
recommended combination of settings. Use bullet points, summary
sentences, etc.
I've probably got some details wrong here, but just as an example of the
style:
Session Hijacking
===============
Session Hijacking is one of the simplest session-related attacks: an
attacker accesses the website using another user's session. This can
lead to problems such as:
- The attacker impersonating a known user.
- The attacker gaining access to restricted parts of a site.
- The attacker accessing the user's personal details stored on the
server (e.g. a "My Account" or "My Orders" page)
To protect against session hijacking, you should:
- Restrict the places the session ID appears. For instance, set the
session manager to use HTTP-only cookies, and no URL rewriting.
- Verify that the same user is accessing the session on each request.
For instance, store "fingerprint" details such as User Agent and discard
the session if it changes.
- ...
Session Fixation
==============
Session Fixation is similar to Session Hijacking, but rather than
discovering the user's session ID, the attacker chooses a new session ID
and tricks the application into using that session ID.
... and so on ...
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
