Hi all, It seems importance of session ID validation that prevents collisions is not recognized enough.
Brute force session ID hihack risk is described here. https://www.owasp.org/index.php/Insufficient_Session-ID_Length The expected number of seconds required to guess a valid session identifier is given by the equation: (2^B+1)/(2*A*S) Where: B is the number of bits of entropy in the session identifier A is the number of guesses an attacker can try each second S is the number of valid session identifiers that are valid and available to be guessed at any given time It says "Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years." 292 years may sounds long enough. However, even though the document explicitly states "it requires validated session ID", but it is clear it assumes "session manager that validates session ID". Let me paraphrase OWASP's document to show why. "Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, legitimate users might creates 10,000 new session ID per second (New and regenerated session) with 10,000,000 valid session identifiers available to be collided. Given these assumptions, the expected time web system to successfully has collided identifier is greater than 2 years." Assumption for security should be pessimistic. OWASP makes pessimistic assumption for entropy in session ID, probably because proving "CSPRNG generates good quality of random bytes" is difficult. 10M active session is possible even with relatively small sites because there are users who use very long session ID life time for "auto login". 10K new session ID is possible for relatively small sites also because OWASP recommends session ID regeneration for every 15 minutes. IMHO, it's nonsense to argue "Session ID collision very rare and cannot happen", "PHP Session ID safe without collision detection", etc. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
