6

I'm working on security of my website and I would understand why session_regenerate_id should be use carefully. In the php manual doc (https://www.php.net/manual/en/function.session-regenerate-id.php) they say :

Currently, session_regenerate_id does not handle an unstable network well, e.g. Mobile and WiFi network. Therefore, you may experience a lost session by calling session_regenerate_id.

You should not destroy old session data immediately, but should use destroy time-stamp and control access to old session ID. Otherwise, concurrent access to page may result in inconsistent state, or you may have lost session, or it may cause client(browser) side race condition and may create many session ID needlessly. Immediate session data deletion disables session hijack attack detection and prevention also.

I don't understand why this function could implies lost connections. We send a request to the server he change the SID (init $_SESSION with old values and create a file at save_file location) so he can sent a cookie to the client.

Anybody can explain me where we can have a session lost ? I am really confused with that but I would understand this problem in order to fixe that...

In advance, thanks all :D

Ps : I also had reed the documentation on https://www.php.net/manual/en/function.session-regenerate-id.php and I don't understand the second exemple :

function my_session_start() {
session_start();
if (isset($_SESSION['destroyed'])) {
   if ($_SESSION['destroyed'] < time()-300) {
       // Ne devrait pas se produire habituellement. Cela pourrait être une 
       // attaque ou en raison d'un réseau instable. Supprimez tout l'état 
       // d'authentification de cette session utilisateurs.
        remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
       throw(new DestroyedSessionAccessException);
   }
   if (isset($_SESSION['new_session_id'])) {
       // Pas encore complètement expiré. Pourrait être perdu cookie par réseau instable.
       // Essayez à nouveau de définir le cookie d'ID de session approprié.
       // Remarque: n'essayez pas de redéfinir l'ID de session si vous 
       // souhaitez supprimer l'état d'authentification.
       session_commit();
       session_id($_SESSION['new_session_id']);
       // Nouvel ID de session doit exister
       session_start();
       return;
   }
 }
}

why if "time()-300" it could be an attack ? and also I don't understand why we should delete a session if it could be a network problem... It will be result in connection lost no ? I don't understand why we should raise an exeption ? Someone could help me ?

Syscall
  • 19,327
  • 10
  • 37
  • 52
Maximilien Faure
  • 119
  • 1
  • 11
  • Welcome to Super User. I don't understand the statement, "...why this function could implies lost connections." The word **implies** seems incorrect for the context. – I say Reinstate Monica Apr 04 '19 at 17:49
  • Thanks ;) implies is perhaps not a good word, I just want to know why a bad connection and the fact to use the function session_regenerate_id() could "imply/bring" a lost of session connection like his said in the text above (sorry for my "english" ^^ – Maximilien Faure Apr 04 '19 at 18:25
  • 2
    Let's start by stating that PHP's built in session mechanism is so-so. All good and popular frameworks implement their own, much more advanced session mechanisms. Related to the question - if you call that function (assuming request reached the server), PHP alters the session identifier. It tries to send updated data back to client. Since it's wifi or mobile connection, it can break (they break often). Server now has updated data, while the client browser doesn't (request lost due to unstable connection). Client browser delivers old data on refresh, but session is now gone. Result: lost info. – Mjh Apr 04 '19 at 20:38
  • Ah, I see. Perhaps the words you're looking for are **result in**, as in, "I don't understand why this function could result in lost connections." – I say Reinstate Monica Apr 04 '19 at 20:59
  • @TwistyImpersonator Yeah indeed I would say that word, thanks ;) – Maximilien Faure Apr 05 '19 at 08:24
  • @Mjh Connection is often break ? When I use my smartphone or when I'm connected on wifi I always a response to an website (sometimes with 404, 403, 500 http error but I have an response). So the problem happen when there is an error ? – Maximilien Faure Apr 05 '19 at 08:29
  • I don't know if connection breaks often, but wireless connections are unstable and you can't predict if it'll break or when. – Mjh Apr 05 '19 at 08:48
  • 1
    @Mjh So if we regenerate a session ID the old session must be keep alive and if this session is open we must redirect to the new session. This will fix the problem of bad connection. But so could you explain me the code than I have add to my post ? I don't understand in the first condition if it's an problem of bad connection why we should close the connection. And in the second condition we reload an new session but it can be an attack no ? – Maximilien Faure Apr 05 '19 at 08:58

1 Answers1

0

That text is trying to say "If the destroyed timestamp is set, and that timestamp is more than 5 minutes old, then probably somebody got their hands on a cookie and is trying to hijack a session. If it's less than 5 minutes old, it's probably just the user experiencing network problems." So, if it IS a session hijack, you want to delete the session and log an error somewhere. If it is just a network problem, you want to update the session. Also worth noting that the sample code is missing an else on the if ($_SESSION['destroyed'] < time()-300) block.

Dharman
  • 30,962
  • 25
  • 85
  • 135
tkohhh
  • 11