Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Better php.ini overrides for insecure setups
This change is to protect our users against a poorly setup server. PHP can allow pretty scary things security-wise, so it's best to make sure things that can only have one valid setting should be enforced. Thanks to @hyp3rlinx for this.
- Loading branch information
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @michael-e do you see any problems with that commit ?
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have always switched off
trans_sid
if possible. Regarding the other two parameters, I don't know much about 'em. But I like making PHP stuff more secure!b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great thanks!
That's the only recommended value ;)
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michael-e how about the session.hash_function ?
I think we should set it to 1. md5 is weak.
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea if this will improve security, because I don't know what is hashed (by PHP/Symphony) into a session ID.
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks to me like it's random bytes from urandom: https://github.com/php/php-src/blob/d5914d19eb5c78b9c1d4e3dc6048cfaeb5b39e68/ext/session/session.c#L866
See for more infos http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get it, despite the long explanation on Stackoverflow. If it's just an ID generated from hashed random numbers, how can this make a difference? If an attacker gets your session ID, are you not lost anyway?
Nevertheless, it surely wouldn't be bad to use a stronger algorithm. (The fact that I don't get it does probably not mean that it's useless!)
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LOL. I, too, do not fully get why a stronger hash on random data would be better. But, as far as I can tell, it's only a matter of "risk of collision", meaning, how hard it is to "guess" or "predicts" valid session ids. It's not a matter of not being able to "steal" it. Since the id persists a lot of time, one could try them all and brute force their way into it. Sha1 produces longer ids, hence, it would be harder to brute force.
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, I wonder why my Symphony session IDs are 26 characters only. An MD5 hash should be 32 characters, a SHA-1 hash would be 40 characters long.
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this?
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, probably.
session.hash_bits_per_character
is5
, globally and locally.b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hyp3rlinx @brendo Should we set it to 5 or 6 ? The goal here is to provide sensible defaults, so should we check the current value and only act when it's not considered "secure/safe" ?
b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could take learnings from the
HttpFoundation
component and move all of this to the user's control. Theoretically the defaults set by php are already the sensible defaults, so the changes we are making are already assuming that we know better than the defaults (sometimes true!).b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this what we already have, i.e. via custom php.ini files ? Some host do not allow them, so should it be config values ? I would do it for values that can have multiple secure-wise valid values...
I have 32 chars ones and my
session.hash_bits_per_character = 4
so the value works as expected. Funny that one would only want half of the bytes to mean something ;)b329a14
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After a bunch of reading and testing, hash config should be a server thing. We are not making more secure as custom values can be even more secure. Default values are sensible enough. I will change my php.ini settings accordingly. Case closed. Thanks 👍