rfc:default-session-strict-mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:default-session-strict-mode [2018/02/13 18:06] peehaarfc:default-session-strict-mode [2025/04/03 13:08] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== PHP RFC: Session strict mode default ini settings ====== ====== PHP RFC: Session strict mode default ini settings ======
-  * Version: 0.1+  * Version: 0.2
   * Date: 2018-02-13   * Date: 2018-02-13
   * Author: Pieter Hordijk, peehaa@php.net   * Author: Pieter Hordijk, peehaa@php.net
-  * Status: Draft+  * Status: Inactive
   * First Published at: http://wiki.php.net/rfc/default-session-strict-mode   * First Published at: http://wiki.php.net/rfc/default-session-strict-mode
  
 ===== Introduction ===== ===== Introduction =====
-Changing default setting ''session.use_strict_mode'' of distributed .ini'to use strict mode sessions by default preventing session fixation by session adoption.+Changing default setting ''session.use_strict_mode'' to use strict mode sessions by default preventing session fixation by session adoption.
  
 ===== Proposal ===== ===== Proposal =====
-Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues.+Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.
  
-In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users. +In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in ''/ext/session/session.c'' 
 + 
 +The default setting for session strict mode will be set to enabled in this proposal.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
-This proposal only changes a default in the distributed ini files and doesn't remove any functionality. +This proposal only changes a default and doesn't remove any functionality. 
-The only possible BC break would be if somebody downloads a new PHP version (including ini files) *andhappens to be among the very few users who needs adoptive sessions *anddoesn't change the session directive.+ 
 +The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive
 + 
 +Or if somebody downloads a new PHP version //and// happens to be among the very few users who needs adoptive sessions //and// doesn't override the hardcoded default by not using ini files.
  
 As such the possible BC impact is almost non-existent. As such the possible BC impact is almost non-existent.
 +
 +Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
-PHP 8+PHP 7.3
  
 ===== RFC Impact ===== ===== RFC Impact =====
Line 28: Line 35:
  
 ==== To Existing Extensions ==== ==== To Existing Extensions ====
-None?+None
  
 ==== To Opcache ==== ==== To Opcache ====
Line 37: Line 44:
  
 ==== php.ini Defaults ==== ==== php.ini Defaults ====
-If there are any php.ini settings then list: +In both php.ini-development and php.ini-production ''session.use_strict_mode'' will be enabled: 
-  * hardcoded default values + 
-  * php.ini-development values +<code>session.use_strict_mode = 1</code> 
-  * php.ini-production values+ 
 +In /ext/session/session.c ''session.use_strict_mode'' will be enabled: 
 + 
 +<code>STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)</code>
  
 ===== Open Issues ===== ===== Open Issues =====
Line 49: Line 59:
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
-Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.+Simple yes/no vote. Yes means changing the default mode in the ini files to enable strict sessions, no means leave it as it is.
  
-State whether this project requires 2/3 or 50%+1 majority (see [[voting]])+Requires a 50%+1 majority
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
-No patch supplied yet as it is a trivial change in the ini files.+No patch supplied yet as it is a trivial change in the ini files and ''/ext/session/session.c''
  
 ===== Implementation ===== ===== Implementation =====
rfc/default-session-strict-mode.1518545194.txt.gz · Last modified: 2025/04/03 13:08 (external edit)

Page Tools