addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1linklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

RE: [php-49] Security question: benefits, if any, of using 'session_regenerate_id'

From: Mike R.
Sent on: Thursday, December 11, 2008 11:31 AM
Yeah, that is actually what I do. I use a counter hash as a session id then use a random hash which can change as a way to authenticate the id. I have my own session handler which is database based.

Thing to note when doing this is php sessions don't have a way to do this automaticly. You will need to set and maintain another cookie to be used as your hash, or attach a url string. Thought I should state this since the thread started off talking about session_regenerate_i­d. Might be confusing to some that reference this.

____________________­____________________­
From: [address removed] [[address removed]] On Behalf Of Richard [[address removed]]
Sent: Thursday, December 11,[masked]:12 AM
To: [address removed]
Subject: Re: [php-49] Security question: benefits, if any, of using 'session_regenerate_­id'

Instead of using the session_id to make your hash uniquie per user..
Store an md5 in the session.. Its not used as the session id, its just
used to verify your hash.

Richard Thomas
http://www.cyberl...­



On Dec 11, 2008, at 11:08 AM, Mike Ree wrote:

> I'm not sure how this would work. Sounds like your saying use your
> own random md5 as the session id. So in a sence this would be using
> your own sessions rather than php's built in sessions.
>
> By session id i mean what you use to reference the session.
>
> ____________________­____________________­
> From: [address removed] [[address removed]] On Behalf Of Richard [[address removed]
> ]
> Sent: Thursday, December 11,[masked]:02 AM
> To: [address removed]
> Subject: Re: [php-49] Security question: benefits, if any, of using
> 'session_regenerate_­id'
>
> Simple fix, Don't use the session id in the hash, instead store a
> random MD5 in your session to use as part of the hash, now it follows
> the user even if the session is regenerated.
>
>
> Richard Thomas
> http://www.cyberl...­
>
>
>
> On Dec 11, 2008, at 10:52 AM, Mike Ree wrote:
>
>> If you have multiple windows opened and change the session it will
>> mess up all other windows session information. That is a good reason
>> why you don't want to change it too often. But it is good to
>> understand that sessions can be hijacked and for security reasons
>> you may want to change it from time to time.
>>
>> ____________________­____________________­
>> From: [address removed] [[address removed]] On Behalf Of Ryan
>> Biesemeyer [[address removed]]
>> Sent: Thursday, December 11,[masked]:42 AM
>> To: [address removed]
>> Subject: Re: [php-49] Security question: benefits, if any, of using
>> 'session_regenerate_­id'
>>
>> I don't see much of a benefit to using this function, actually. Sure,
>> it introduces the concept of 'moving targets', but it also introduces
>> a lot of likelihood for odd behavior, and the function itself is not
>> very well documented.
>>
>> E.G.: Application uses a form token system that relies on a hash of
>> time(), session_id(), salt, and $userID, ensuring that a form is from
>> the person, session, and time-range I expect before processing it. If
>> I were to implement session_regenerate_i­d(), any form that was
>> previously opened (background tabs, additional windows, etc) would
>> fail token validation and therefore not be processed, despite the
>> fact
>> that the token is within its lifetime.
>>
>> More importantly though, if a session *was* hijacked, it would be
>> equally likely that the cracker would inherit the new session_id and
>> the legit user would lose the session (if not more likely, as a
>> purposeful hacker would be loading pages at a higher rate than a
>> normal user, thus hitting the script more often).
>>
>> I don't see many benefits to using this; looks like complexity for
>> complexity's sake.
>>
>> -Ryan
>>
>> On Wed, Dec 10, 2008 at 6:15 PM, Ian Maddox <[address removed]> wrote:
>>> This is topical:
>>> http://www.server...­
>>>
>>> It is an interesting post on session hijacking that briefly covers
>>> session_regenerate_i­d().  However, you need to use this function
>>> with
>>> caution.  You must make sure to delete the old session. This can be
>>> done by
>>> passing true into the function or by using session_destroy(). By
>>> default,
>>> the session is merely copied and not actually renamed, so a
>>> compromised
>>> sessionID could still be used by an attacker to access a user's
>>> account.
>>>
>>> --Ian
>>>
>>> On Mon, Dec 8, 2008 at 10:45 PM, David Malouf <[address removed]>
>>> wrote:
>>>>
>>>> Came across this function (http://us3.php.ne...­
>>>> session_regenerate_i­d).
>>>>
>>>> Is this used (at the beginning of each PHP/'view' script) to help
>>>> prevent
>>>> 'session-stealing' (or whatever is the correct title for this
>>>> idea)?
>>>>
>>>> What else can/should/might this function be used for?
>>>>
>>>>
>>>> David
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Please Note: If you hit "REPLY", your message will be sent to
>>>> everyone on
>>>> this mailing list ([address removed])
>>>> This message was sent by David Malouf ([address removed]) from
>>>> The
>>>> Seattle PHP Meetup Group.
>>>> To learn more about David Malouf, visit his/her member profile
>>>> To unsubscribe or to update your mailing list settings, click here
>>>>
>>>> Meetup Support: [address removed]
>>>> 632 Broadway, New York, NY 10012 USA
>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to
>>> everyone on
>>> this mailing list ([address removed])
>>> This message was sent by Ian Maddox ([address removed]) from The
>>> Seattle PHP
>>> Meetup Group.
>>> To learn more about Ian Maddox, visit his/her member profile
>>> To unsubscribe or to update your mailing list settings, click here
>>>
>>> Meetup Support: [address removed]
>>> 632 Broadway, New York, NY 10012 USA
>>
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to
>> everyone on this mailing list ([address removed])
>> http://php.meetup...­
>> This message was sent by Ryan Biesemeyer ([address removed]) from The
>> Seattle PHP Meetup Group.
>> To learn more about Ryan Biesemeyer, visit his/her member profile: http://php.meetup...­
>> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
>> Meetup Support: [address removed]
>> 632 Broadway, New York, NY 10012 USA
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to
>> everyone on this mailing list ([address removed])
>> http://php.meetup...­
>> This message was sent by Mike Ree ([address removed]) from The
>> Seattle PHP Meetup Group.
>> To learn more about Mike Ree, visit his/her member profile: http://php.meetup...­
>> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
>> Meetup Support: [address removed]
>> 632 Broadway, New York, NY 10012 USA
>>
>
>
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to
> everyone on this mailing list ([address removed])
> http://php.meetup...­
> This message was sent by Richard ([address removed]) from The
> Seattle PHP Meetup Group.
> To learn more about Richard, visit his/her member profile: http://php.meetup...­
> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
> Meetup Support: [address removed]
> 632 Broadway, New York, NY 10012 USA
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to
> everyone on this mailing list ([address removed])
> http://php.meetup...­
> This message was sent by Mike Ree ([address removed]) from The
> Seattle PHP Meetup Group.
> To learn more about Mike Ree, visit his/her member profile: http://php.meetup...­
> To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
> Meetup Support: [address removed]
> 632 Broadway, New York, NY 10012 USA
>




--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
http://php.meetup...­
This message was sent by Richard ([address removed]) from The Seattle PHP Meetup Group.
To learn more about Richard, visit his/her member profile: http://php.meetup...­
To unsubscribe or to update your mailing list settings, click here: http://www.meetup...­
Meetup Support: [address removed]
632 Broadway, New York, NY 10012 USA

Our Sponsors

  • PluralSight

    PluralSight subscriptions for developer training

  • O'Reilly

    Disc Code: PCBW is good for 40% off print and 50% off ebooks and videos

  • JetBrains PhpStorm

    Occasional free licenses to raffle off at meetups

  • DynaTrace

    Find yourself, promote yourself, stay true to yourself.

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy