Hi all, "The default 128 bits Session ID is large enough to ignore collisions" discussion is added for new readers and people couldn't follow discussion in ML threads.
https://wiki.php.net/rfc/session-create-id#discussions For the record, when session module was implemented, the way it is now is considered good enough for most users. Circumstances change as time goes by. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net On Mon, Aug 15, 2016 at 5:13 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > It seems importance of session ID validation that prevents collisions > is not recognized enough. > > Brute force session ID hihack risk is described here. > https://www.owasp.org/index.php/Insufficient_Session-ID_Length > > The expected number of seconds required to guess a valid session > identifier is given by the equation: > > (2^B+1)/(2*A*S) > > Where: > > B is the number of bits of entropy in the session identifier > A is the number of guesses an attacker can try each second > S is the number of valid session identifiers that are valid and > available to be guessed at any given time > > It says > > "Now assume a 128 bit session identifier that provides 64 bits of > entropy. With a very large web site, an attacker might try 10,000 > guesses per second with 100,000 valid session identifiers available to > be guessed. Given these assumptions, the expected time for an attacker > to successfully guess a valid session identifier is greater than 292 > years." > > 292 years may sounds long enough. However, even though the document > explicitly states "it requires validated session ID", but it is clear > it assumes "session manager that validates session ID". > > Let me paraphrase OWASP's document to show why. > > "Now assume a 128 bit session identifier that provides 64 bits of > entropy. With a very large web site, legitimate users might creates > 10,000 new session ID per second (New and regenerated session) with > 10,000,000 valid session identifiers available to be collided. Given > these assumptions, the expected time web system to successfully has > collided identifier is greater than 2 years." > > Assumption for security should be pessimistic. OWASP makes pessimistic > assumption for entropy in session ID, probably because proving "CSPRNG > generates good quality of random bytes" is difficult. > > 10M active session is possible even with relatively small sites > because there are users who use very long session ID life time for > "auto login". 10K new session ID is possible for relatively small > sites also because OWASP recommends session ID regeneration for every > 15 minutes. > > IMHO, it's nonsense to argue "Session ID collision very rare and > cannot happen", "PHP Session ID safe without collision detection", > etc. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
