This is an old revision of the document!
PHP RFC: Session strict mode default ini settings
- Version: 0.1
- Date: 2018-02-13
- Author: Pieter Hordijk, peehaa@php.net
- Status: Draft
- First Published at: http://wiki.php.net/rfc/default-session-strict-mode
Introduction
Changing default setting session.use_strict_mode
of distributed .ini's to use strict mode sessions by default preventing session fixation by session adoption.
Proposal
Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues.
In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users.
Backward Incompatible Changes
This proposal only changes a default in the distributed ini files and doesn't remove any functionality. The only possible BC break would be if somebody downloads a new PHP version (including ini files) *and* happens to be among the very few users who needs adoptive sessions *and* doesn't change the session directive.
As such the possible BC impact is almost non-existent.
Proposed PHP Version(s)
PHP 8
RFC Impact
To SAPIs
None
To Existing Extensions
None?
To Opcache
None
New Constants
None
php.ini Defaults
If there are any php.ini settings then list:
- hardcoded default values
- php.ini-development values
- php.ini-production values
Open Issues
None
Unaffected PHP Functionality
N/A
Proposed Voting Choices
Simple yes/no vote. Yes means changing the default mode in the ini files, no means leave it as it is.
State whether this project requires a 2/3 or 50%+1 majority (see voting)
Patches and Tests
No patch supplied yet as it is a trivial change in the ini files.
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged into
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
- a link to the language specification section (if any)
References
Links to external references, discussions or RFCs
Rejected Features
Keep this updated with features that were discussed on the mail lists.