rfc:default-session-strict-mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
rfc:default-session-strict-mode [2018/02/13 17:41] peehaarfc:default-session-strict-mode [2018/02/13 18:50] peehaa
Line 7: Line 7:
  
 ===== Introduction ===== ===== Introduction =====
-Changing default setting of distributed .ini's to use strict mode sessions by default.+Changing default setting ''session.use_strict_mode'' of distributed .ini's to use strict mode sessions by default preventing session fixation by session adoption.
  
 ===== Proposal ===== ===== Proposal =====
-Currently strict mode for session is disabled by default in our distributed ini files (php.ini-development and php.ini-production). However it is recommended to enable it to prevent session fixation issues.+Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues
 + 
 +In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
-What breaks, and what is the justification for it?+This proposal only changes a default in the distributed ini files and doesn't remove any functionality. 
 +The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive. 
 + 
 +As such the possible BC impact is almost non-existent.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
-List the proposed PHP versions that the feature will be included in.  Use relative versions such as "next PHP 7.x" or "next PHP 7.x.y".+PHP 7.next
  
 ===== RFC Impact ===== ===== RFC Impact =====
Line 23: Line 28:
  
 ==== To Existing Extensions ==== ==== To Existing Extensions ====
-None?+None
  
 ==== To Opcache ==== ==== To Opcache ====
Line 32: Line 37:
  
 ==== php.ini Defaults ==== ==== php.ini Defaults ====
-If there are any php.ini settings then list: +In both php.ini-development and php.ini-production ''session.use_strict_mode'' will be enabled: 
-  * hardcoded default values + 
-  * php.ini-development values +<code>session.use_strict_mode = 1</code>
-  * php.ini-production values+
  
 ===== Open Issues ===== ===== Open Issues =====
Line 44: Line 48:
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
-Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.+Simple yes/no vote. Yes means changing the default mode in the ini files to enable strict sessions, no means leave it as it is.
  
-State whether this project requires 2/3 or 50%+1 majority (see [[voting]])+Requires a 50%+1 majority
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
rfc/default-session-strict-mode.txt · Last modified: 2021/03/27 15:01 by ilutov

Page Tools