Session regenerate causes expired session with fast AJAX calls

Question

My application is a full AJAX web page using Codeigniter Framework and memcached session handler.

Sometimes, it sends a lot of asynchronous calls and if session has to regenerate its ID (to avoid session fixation security issue), the session cookie is not renewed fast enough and some AJAX calls fail due to session id expired.

Here is a schematic picture I made to show clearly the problem :

I walked across the similar threads (for example this one) but the answers doesn't really solve my problem, I can't disable the security as there is only AJAX calls in my application.

Nevertheless, I have an Idea and I would like an opinion before hacking into the Codeigniter session handler classes : The idea is to manage 2 simultaneous session Ids for a while, for example 30 seconds. This would be a maximum request execution time. Therefore, after session regeneration, the server would still accept the previous session ID, and switch to session to the new one. Using the same picture that would give something like this :

Answer 1

First of all, your proposed solution is quite reasonable. In fact, the people at OSWAP advise just that:

The web application can implement an additional renewal timeout after which the session ID is automatically renewed. (...) The previous session ID value would still be valid for some time, accommodating a safety interval, before the client is aware of the new ID and starts using it. At that time, when the client switches to the new ID inside the current session, the application invalidates the previous ID.

Unfortunately this cannot be implemented with PHP's standard session management (or I don't know how to do that). Nevertheless, implementing this behaviour in a custom session driver ¹ should not pose any serious problem.

I am now going to make a bold statement: the whole idea of regenerating the session ID periodically, is broken. Now don't get me wrong, regenerating the session ID on login (or more accurately, as OSWAP put it, on "privilege level change") is indeed a very good defense against session fixation.

But regenerating session IDs regularly poses more problems than it solves: during the interval when the two sessions co-exist, they must be synchronised or else one runs the risk loosing information from the expiring session.

There are better (and easier) defenses against simple session theft: use SSL (HTTPS). Periodic session renewal should be regarded as the poor man's workaround to this attack vector.

---

¹ link to the standard PHP way

Answer 2

your problem seems to be less with the actual speed of the requests (though it is a contributing factor) but more with concurrency. If i understand right, your javascript application makes many (async) ajax calls - fast (presumably in bursts)- and sometimes some of them fail due to session invalidation due to what you think is speed of requests issue. Well i think that the problem is that you actually have several concurrent requests to the server, while the first one has its session renewed the other essentially cannot see it because the request is already made and waits to be processed by the server.

This problem will of course manifest itself only when doing several requests for the same user simultaneously.

Now The real question here - what in your application business logic demands for this?

It looks to me that you are trying to find a technical solution to a 'business' problem. What i mean is that either you've mis-interpreted your requirements, or the requirements are just not that well thought/specified.

I would advice you to try some of the following:

• ask yourself if these multiple simultaneous requests can be combined to one

• look deeply into the requirements and try to find the real reason why you do what you do, maybe there is no real business reason for this

• every time before you fire the series of requests fire a 'refresh' ajax request to get the new session, and only on success proceed with all the other requests

Hope some of what i've wrote help to guide you to solution. Good luck