PHP RFC: Session strict mode default ini settings


Changing default setting session.use_strict_mode to use strict mode sessions by default preventing session fixation by session adoption.


Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.

In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in /ext/session/session.c

The default setting for session strict mode will be set to enabled in this proposal.

Backward Incompatible Changes

This proposal only changes a default and doesn't remove any functionality.

The only possible BC break would be if somebody downloads a new PHP version (including ini files) and happens to be among the very few users who needs adoptive sessions and doesn't change the session directive.

Or if somebody downloads a new PHP version and happens to be among the very few users who needs adoptive sessions and doesn't override the hardcoded default by not using ini files.

As such the possible BC impact is almost non-existent.

Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.

Proposed PHP Version(s)

PHP 7.3

RFC Impact



To Existing Extensions


To Opcache


New Constants


php.ini Defaults

In both php.ini-development and php.ini-production session.use_strict_mode will be enabled:

session.use_strict_mode = 1

In /ext/session/session.c session.use_strict_mode will be enabled:

STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)

Open Issues


Unaffected PHP Functionality


Proposed Voting Choices

Simple yes/no vote. Yes means changing the default mode in the ini files to enable strict sessions, no means leave it as it is.

Requires a 50%+1 majority

Patches and Tests

No patch supplied yet as it is a trivial change in the ini files and /ext/session/session.c


After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)


Links to external references, discussions or RFCs

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/default-session-strict-mode.txt · Last modified: 2021/03/27 15:01 by ilutov