rfc:default-session-strict-mode
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
| rfc:default-session-strict-mode [2018/02/13 18:50] – peehaa | rfc:default-session-strict-mode [2018/03/21 11:30] – peehaa | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== PHP RFC: Session strict mode default ini settings ====== | ====== PHP RFC: Session strict mode default ini settings ====== | ||
| - | * Version: 0.1 | + | * Version: 0.2 |
| * Date: 2018-02-13 | * Date: 2018-02-13 | ||
| * Author: Pieter Hordijk, peehaa@php.net | * Author: Pieter Hordijk, peehaa@php.net | ||
| Line 7: | Line 7: | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| - | Changing default setting '' | + | Changing default setting '' |
| ===== Proposal ===== | ===== Proposal ===== | ||
| - | Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues. | + | Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) |
| - | In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users. | + | In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in ''/ |
| + | |||
| + | The default setting for session strict mode will be set to enabled in this proposal. | ||
| ===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
| - | This proposal only changes a default | + | This proposal only changes a default and doesn' |
| The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn' | The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn' | ||
| + | |||
| + | Or if somebody downloads a new PHP version //and// happens to be among the very few users who needs adoptive sessions //and// doesn' | ||
| As such the possible BC impact is almost non-existent. | As such the possible BC impact is almost non-existent. | ||
| + | |||
| + | Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller. | ||
| ===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
| - | PHP 7.next | + | PHP 7.3 |
| ===== RFC Impact ===== | ===== RFC Impact ===== | ||
| Line 40: | Line 47: | ||
| < | < | ||
| + | |||
| + | In / | ||
| + | |||
| + | < | ||
| ===== Open Issues ===== | ===== Open Issues ===== | ||
| Line 53: | Line 64: | ||
| ===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
| - | No patch supplied yet as it is a trivial change in the ini files. | + | No patch supplied yet as it is a trivial change in the ini files and ''/ |
| ===== Implementation ===== | ===== Implementation ===== | ||
rfc/default-session-strict-mode.txt · Last modified: 2021/03/27 15:01 by ilutov