rfc:default-session-strict-mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:default-session-strict-mode [2018/02/13 18:50] peehaarfc:default-session-strict-mode [2021/03/27 15:01] (current) – Move to inactive ilutov
Line 1: Line 1:
 ====== PHP RFC: Session strict mode default ini settings ====== ====== PHP RFC: Session strict mode default ini settings ======
-  * Version: 0.1+  * Version: 0.2
   * Date: 2018-02-13   * Date: 2018-02-13
   * Author: Pieter Hordijk, peehaa@php.net   * Author: Pieter Hordijk, peehaa@php.net
-  * Status: Draft+  * Status: Inactive
   * First Published at: http://wiki.php.net/rfc/default-session-strict-mode   * First Published at: http://wiki.php.net/rfc/default-session-strict-mode
  
 ===== Introduction ===== ===== Introduction =====
-Changing default setting ''session.use_strict_mode'' of distributed .ini'to use strict mode sessions by default preventing session fixation by session adoption.+Changing default setting ''session.use_strict_mode'' to use strict mode sessions by default preventing session fixation by session adoption.
  
 ===== Proposal ===== ===== Proposal =====
-Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) disable strict mode. However it is recommended to enable it to prevent session fixation issues.+Currently strict mode for sessions is disabled by default. Both our distributed ini files (php.ini-development and php.ini-production) as well as the hardcoded default value disable strict mode. However it is recommended to enable it to prevent session fixation issues.
  
-In by far the most cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users. +In the vast majority of cases you want to enable strict mode for sessions. As such this proposal enables a sane default for almost all of our users by changing the default values in our distributed ini files and by changing the hardcoded default in ''/ext/session/session.c'' 
 + 
 +The default setting for session strict mode will be set to enabled in this proposal.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
-This proposal only changes a default in the distributed ini files and doesn't remove any functionality.+This proposal only changes a default and doesn't remove any functionality. 
 The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive. The only possible BC break would be if somebody downloads a new PHP version (including ini files) //and// happens to be among the very few users who needs adoptive sessions //and// doesn't change the session directive.
 +
 +Or if somebody downloads a new PHP version //and// happens to be among the very few users who needs adoptive sessions //and// doesn't override the hardcoded default by not using ini files.
  
 As such the possible BC impact is almost non-existent. As such the possible BC impact is almost non-existent.
 +
 +Also note that a lot of people will be using PHP based on packages which often will come with their own ini files anyway makinh the possible impact of this proposal even smaller.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
-PHP 7.next+PHP 7.3
  
 ===== RFC Impact ===== ===== RFC Impact =====
Line 40: Line 47:
  
 <code>session.use_strict_mode = 1</code> <code>session.use_strict_mode = 1</code>
 +
 +In /ext/session/session.c ''session.use_strict_mode'' will be enabled:
 +
 +<code>STD_PHP_INI_ENTRY("session.use_strict_mode", "1", ....)</code>
  
 ===== Open Issues ===== ===== Open Issues =====
Line 53: Line 64:
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
-No patch supplied yet as it is a trivial change in the ini files.+No patch supplied yet as it is a trivial change in the ini files and ''/ext/session/session.c''
  
 ===== Implementation ===== ===== Implementation =====
rfc/default-session-strict-mode.1518547849.txt.gz · Last modified: 2018/02/13 18:50 by peehaa