Hi Tjerk, On Thu, Sep 26, 2013 at 7:32 PM, Tjerk Meesters <tjerk.meest...@gmail.com>wrote:
> >> Many people still have dynamic IP addresses for their home connections, >> but >> the group who would suffer the most would be mobile users. It's pretty >> frustrating to use most sites with a phone as it is, without being kicked >> off every time you switch between grps or hsdpa or whatever. >> > > Aha! I'm glad that you brought up mobile devices, because for those it's > more likely that in certain cases the updated cookie is not received while > the server believes that it was; scenario: "I stepped into an elevator and > was disconnected when I got out.". This makes it an unattractive option to > have enabled by default. > When IP packets are lost, clients may not receive new session ID. This may occur when packets are lost while server is trying to set new session ID cookie. Unless users have really bad connections, this happens unlikely. Users who are concerned for this situation should disable it. Users who are concerned security should accept this case. The motivation of the feature is to encourage secure session management to users, not to cover all situations perfectly. Changing session ID on events is best practice of security. Failures in rare cases would not make it bad practice. This feature cannot be enabled by default, since HTTP header that indicates client IP may vary. Anyway, how many of us follows session ID management security best practice? - login - logout - re-authentication (e.g. Require password to change sensitive info) - timeout (Long living session ID should be renewed) - IP change (This could be hijacked session) - else? Regenerating session ID at login is mandatory, so I suppose everyone do. (If not, you must.) Generally speaking, if session ID changes more frequently, hijack attack become more difficult. Even if session ID is the center of the web security, it is fragile. Therefore, it should be as secure as possible whenever it can. IMHO. Regards, P.S. As I wrote previous mail, I'll start from documentation. Even if I made patch, it would be an optional feature anyway. -- Yasuo Ohgaki yohg...@ohgaki.net
