rfc:default-session-strict-mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
rfc:default-session-strict-mode [2018/02/13 18:50] peehaarfc:default-session-strict-mode [2018/02/13 20:08] peehaa
Line 1: Line 1:
 ====== PHP RFC: Session strict mode default ini settings ====== ====== PHP RFC: Session strict mode default ini settings ======
-  * Version: 0.1+  * Version: 0.2
   * Date: 2018-02-13   * Date: 2018-02-13
   * Author: Pieter Hordijk, peehaa@php.net   * Author: Pieter Hordijk, peehaa@php.net
Line 7: Line 7:
  
 ===== Introduction ===== ===== Introduction =====
-Changing default setting ''session.use_strict_mode'' of distributed .ini'to use strict mode sessions by default preventing session fixation by session adoption.+Changing default setting ''session.use_strict_mode'' to use strict mode sessions by default preventing session fixation by session adoption.
  
 ===== Proposal ===== ===== Proposal =====
-Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues.+Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.
  
-In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users. +In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in ''/ext/session/session.c''
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
-This proposal only changes a default in the distributed ini files and doesn't remove any functionality.+This proposal only changes a default and doesn't remove any functionality. 
 The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive. The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive.
 +
 +Or if somebody downloads a new PHP version //and// happens to be among the very few users who needs adoptive sessions //and// doesn't override the hardcoded default by not using ini files.
  
 As such the possible BC impact is almost non-existent. As such the possible BC impact is almost non-existent.
 +
 +Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
Line 40: Line 45:
  
 <code>session.use_strict_mode = 1</code> <code>session.use_strict_mode = 1</code>
 +
 +In /ext/session/session.c ''session.use_strict_mode'' will be enabled:
 +
 +<code>STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)</code>
  
 ===== Open Issues ===== ===== Open Issues =====
Line 53: Line 62:
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
-No patch supplied yet as it is a trivial change in the ini files.+No patch supplied yet as it is a trivial change in the ini files and ''/ext/session/session.c''
  
 ===== Implementation ===== ===== Implementation =====
rfc/default-session-strict-mode.txt · Last modified: 2021/03/27 15:01 by ilutov

Page Tools