rfc:default-session-strict-mode

This is an old revision of the document!


PHP RFC: Session strict mode default ini settings

Introduction

Changing default setting of distributed .ini's to use strict mode sessions by default.

Proposal

Currently strict mode for session is disabled by default in our distributed ini files (php.ini-development and php.ini-production). However it is recommended to enable it to prevent session fixation issues.

Backward Incompatible Changes

What breaks, and what is the justification for it?

Proposed PHP Version(s)

List the proposed PHP versions that the feature will be included in. Use relative versions such as “next PHP 7.x” or “next PHP 7.x.y”.

RFC Impact

To SAPIs

None

To Existing Extensions

None?

To Opcache

None

New Constants

None

php.ini Defaults

If there are any php.ini settings then list:

  • hardcoded default values
  • php.ini-development values
  • php.ini-production values

Open Issues

None

Unaffected PHP Functionality

N/A

Proposed Voting Choices

Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.

State whether this project requires a 2/3 or 50%+1 majority (see voting)

Patches and Tests

No patch supplied yet as it is a trivial change in the ini files.

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)

References

Links to external references, discussions or RFCs

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/default-session-strict-mode.1518543668.txt.gz · Last modified: 2018/02/13 17:41 by peehaa