rfc:default-session-strict-mode

This is an old revision of the document!


PHP RFC: Session strict mode default ini settings

Introduction

Changing default setting session.use_strict_mode of distributed .ini's to use strict mode sessions by default preventing session fixation by session adoption.

Proposal

Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues.

In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users.

Backward Incompatible Changes

This proposal only changes a default in the distributed ini files and doesn't remove any functionality. The only possible BC break would be if somebody downloads a new PHP version (including ini files) *and* happens to be among the very few users who needs adoptive sessions *and* doesn't change the session directive.

As such the possible BC impact is almost non-existent.

Proposed PHP Version(s)

PHP 8

RFC Impact

To SAPIs

None

To Existing Extensions

None?

To Opcache

None

New Constants

None

php.ini Defaults

If there are any php.ini settings then list:

  • hardcoded default values
  • php.ini-development values
  • php.ini-production values

Open Issues

None

Unaffected PHP Functionality

N/A

Proposed Voting Choices

Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.

State whether this project requires a 2/3 or 50%+1 majority (see voting)

Patches and Tests

No patch supplied yet as it is a trivial change in the ini files.

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged into
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)

References

Links to external references, discussions or RFCs

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/default-session-strict-mode.1518545194.txt.gz · Last modified: 2018/02/13 18:06 by peehaa