rfc:default-session-strict-mode

PHP RFC: Session strict mode default ini settings

Introduction

Changing default setting session.use_strict_mode to use strict mode sessions by default preventing session fixation by session adoption.

Proposal

Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.

In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in /ext/session/session.c

The default setting for session strict mode will be set to enabled in this proposal.

Backward Incompatible Changes

This proposal only changes a default and doesn't remove any functionality.

The only possible BC break would be if somebody downloads a new PHP version (including ini files) and happens to be among the very few users who needs adoptive sessions and doesn't change the session directive.

Or if somebody downloads a new PHP version and happens to be among the very few users who needs adoptive sessions and doesn't override the hardcoded default by not using ini files.

As such the possible BC impact is almost non-existent.

Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.

Proposed PHP Version(s)

PHP 7.3

RFC Impact

To SAPIs

None

To Existing Extensions

None

To Opcache

None

New Constants

None

php.ini Defaults

In both php.ini-development and php.ini-production session.use_strict_mode will be enabled:

session.use_strict_mode = 1

In /ext/session/session.c session.use_strict_mode will be enabled:

STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)

Open Issues

None

Unaffected PHP Functionality

N/A

Proposed Voting Choices

Simple yes/no vote. Yes means changing the default mode in the ini files to enable strict sessions, no means leave it as it is.

Requires a 50%+1 majority

Patches and Tests

No patch supplied yet as it is a trivial change in the ini files and /ext/session/session.c

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)

References

Links to external references, discussions or RFCs

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/default-session-strict-mode.txt · Last modified: 2018/03/21 11:30 by peehaa