RE: [php-49] Security question: benefits, if any, of using 'session_regenerate_id'

From: Mike R.
Sent on: Thursday, December 11, 2008 11:08 AM
I'm not sure how this would work. Sounds like your saying use your own random md5 as the session id. So in a sence this would be using your own sessions rather than php's built in sessions.

By session id i mean what you use to reference the session.

____________________­____________________­
From: [address removed] [[address removed]] On Behalf Of Richard [[address removed]]
Sent: Thursday, December 11,[masked]:02 AM
To: [address removed]
Subject: Re: [php-49] Security question: benefits, if any, of using 'session_regenerate_­id'

Simple fix, Don't use the session id in the hash, instead store a
random MD5 in your session to use as part of the hash, now it follows
the user even if the session is regenerated.


Richard Thomas
http://www.cyberl...­



On Dec 11, 2008, at 10:52 AM, Mike Ree wrote:

> If you have multiple windows opened and change the session it will
> mess up all other windows session information. That is a good reason
> why you don't want to change it too often. But it is good to
> understand that sessions can be hijacked and for security reasons
> you may want to change it from time to time.
>
> ____________________­____________________­
> From: [address removed] [[address removed]] On Behalf Of Ryan
> Biesemeyer [[address removed]]
> Sent: Thursday, December 11,[masked]:42 AM
> To: [address removed]
> Subject: Re: [php-49] Security question: benefits, if any, of using
> 'session_regenerate_­id'
>
> I don't see much of a benefit to using this function, actually. Sure,
> it introduces the concept of 'moving targets', but it also introduces
> a lot of likelihood for odd behavior, and the function itself is not
> very well documented.
>
> E.G.: Application uses a form token system that relies on a hash of
> time(), session_id(), salt, and $userID, ensuring that a form is from
> the person, session, and time-range I expect before processing it. If
> I were to implement session_regenerate_i­d(), any form that was
> previously opened (background tabs, additional windows, etc) would
> fail token validation and therefore not be processed, despite the fact
> that the token is within its lifetime.
>
> More importantly though, if a session *was* hijacked, it would be
> equally likely that the cracker would inherit the new session_id and
> the legit user would lose the session (if not more likely, as a
> purposeful hacker would be loading pages at a higher rate than a
> normal user, thus hitting the script more often).
>
> I don't see many benefits to using this; looks like complexity for
> complexity's sake.
>
> -Ryan
>
> On Wed, Dec 10, 2008 at 6:15 PM, Ian Maddox <[address removed]> wrote:
>> This is topical:
>> http://www.server...­
>>
>> It is an interesting post on session hijacking that briefly covers
>> session_regenerate_i­d().  However, you need to use this function with
>> caution.  You must make sure to delete the old session. This can be
>> done by
>> passing true into the function or by using session_destroy(). By
>> default,
>> the session is merely copied and not actually renamed, so a
>> compromised
>> sessionID could still be used by an attacker to access a user's
>> account.
>>
>> --Ian
>>
>> On Mon, Dec 8, 2008 at 10:45 PM, David Malouf <[address removed]>
>> wrote:
>>>
>>> Came across this function (http://us3.php.ne...­
>>> session_regenerate_i­d).
>>>
>>> Is this used (at the beginning of each PHP/'view' script) to help
>>> prevent
>>> 'session-stealing' (or whatever is the correct title for this idea)?
>>>
>>> What else can/should/might this function be used for?
>>>
>>>
>>> David
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to
>>> everyone on
>>> this mailing list ([address removed])
>>> This message was sent by David Malouf ([address removed]) from The
>>> Seattle PHP Meetup Group.
>>> To learn more about David Malouf, visit his/her member profile
>>> To unsubscribe or to update your mailing list settings, click here
>>>
>>> Meetup Support: [address removed]
>>> 632 Broadway, New York, NY 10012 USA
>>
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to
>> everyone on
>> this mailing list ([address removed])
>> This message was sent by Ian Maddox ([address removed]) from The
>> Seattle PHP
>> Meetup Group.
>> To learn more about Ian Maddox, visit his/her member profile
>> To unsubscribe or to update your mailing list settings, click here
>>
>> Meetup Support: [address removed]
>> 632 Broadway, New York, NY 10012 USA
>
>
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to
> everyone on this mailing list ([address removed])
> http://php.meetup...­
> This message was sent by Ryan Biesemeyer ([address removed]) from The
> Seattle PHP Meetup Group.
> To learn more about Ryan Biesemeyer, visit his/her member profile: http://php.meetup...­
> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
> Meetup Support: [address removed]
> 632 Broadway, New York, NY 10012 USA
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to
> everyone on this mailing list ([address removed])
> http://php.meetup...­
> This message was sent by Mike Ree ([address removed]) from The
> Seattle PHP Meetup Group.
> To learn more about Mike Ree, visit his/her member profile: http://php.meetup...­
> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
> Meetup Support: [address removed]
> 632 Broadway, New York, NY 10012 USA
>




--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
http://php.meetup...­
This message was sent by Richard ([address removed]) from The Seattle PHP Meetup Group.
To learn more about Richard, visit his/her member profile: http://php.meetup...­
To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
Meetup Support: [address removed]
632 Broadway, New York, NY 10012 USA

Our Sponsors

  • TUNE

    Meeting space and food

  • PluralSight

    PluralSight subscriptions for developer training

  • Siteground

    Information coming Soon

  • O'Reilly

    Disc Code: PCBW is good for 40% off print and 50% off ebooks and videos

  • JetBrains PhpStorm

    Occasional free licenses to raffle off at meetups

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy