Differences

This shows you the differences between two versions of the page.

--- rfc:default-session-strict-mode [2018/02/13 17:40] – created peehaa
+++ rfc:default-session-strict-mode [2021/03/27 15:01] (current) – Move to inactive ilutov
@@ Line 1: / Line 1: @@
-====== PHP RFC: Your Title Here ======
+====== PHP RFC: Session strict mode default ini settings ======
-  * Version: 0.1
+  * Version: 0.2
   * Date: 2018-02-13
   * Author: Pieter Hordijk, peehaa@php.net
-  * Status: Draft
+  * Status: Inactive
   * First Published at: http://wiki.php.net/rfc/default-session-strict-mode
 ===== Introduction =====
-Changing default setting of distributed .ini's to use strict mode sessions by default.
+Changing default setting ''session.use_strict_mode'' to use strict mode sessions by default preventing session fixation by session adoption.
 ===== Proposal =====
-Currently strict mode for session is disabled by default in our distributed ini files (php.ini-development and php.ini-production). However it is recommended to enable it to prevent session fixation issues.
+Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.
+In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in ''/ext/session/session.c''
+The default setting for session strict mode will be set to enabled in this proposal.
 ===== Backward Incompatible Changes =====
-What breaks, and what is the justification for it?
+This proposal only changes a default and doesn't remove any functionality.
+The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive.
+Or if somebody downloads a new PHP version //and// happens to be among the very few users who needs adoptive sessions //and// doesn't override the hardcoded default by not using ini files.
+As such the possible BC impact is almost non-existent.
+Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.
 ===== Proposed PHP Version(s) =====
-List the proposed PHP versions that the feature will be included in.  Use relative versions such as "next PHP 7.x" or "next PHP 7.x.y".
+PHP 7.3
 ===== RFC Impact =====
@@ Line 23: / Line 35: @@
 ==== To Existing Extensions ====
-None?
+None
 ==== To Opcache ====
@@ Line 32: / Line 44: @@
 ==== php.ini Defaults ====
-If there are any php.ini settings then list:
+In both php.ini-development and php.ini-production ''session.use_strict_mode'' will be enabled:
-  * hardcoded default values
-  * php.ini-development values
+<code>session.use_strict_mode = 1</code>
-  * php.ini-production values
+In /ext/session/session.c ''session.use_strict_mode'' will be enabled:
+<code>STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)</code>
 ===== Open Issues =====
@@ Line 44: / Line 59: @@
 ===== Proposed Voting Choices =====
-Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.
+Simple yes/no vote. Yes means changing the default mode in the ini files to enable strict sessions, no means leave it as it is.
-State whether this project requires a 2/3 or 50%+1 majority (see [[voting]])
+Requires a 50%+1 majority
 ===== Patches and Tests =====
-No patch supplied yet as it is a trivial change in the ini files.
+No patch supplied yet as it is a trivial change in the ini files and ''/ext/session/session.c''
 ===== Implementation =====

Differences

Page Tools