rfc:deprecate-get-post-sessions

PHP RFC: Deprecate GET/POST sessions

Introduction

PHP supports two ways to propagate session token ID: via cookies and through GET or POST parameters. Cookies are the default preferred method that has become the de facto standard way of doing it. Using URL parameters and hidden form input fields has many drawbacks, both in terms of security and usability, but since cookies may not always be available, PHP provides that as an alternative option. PHP documentation on passing session ID

To ease the implementation of this fallback mechanism, a feature called use_trans_sid is available which will automatically transform all relative URLs to include the session token ID. This way, if cookies are not enabled then PHP can seamlessly switch over to using URL parameters.

Using GET/POST to propagate session identifiers is generally considered a bad practice. For example, see Why is passing the session id as URL parameter insecure?

Proposal

The proposal is to deprecate both features: initialization of session from identifier received via GET/POST, and automatic transformation of URLs in the script's output.

However, we should not deprecate these INI settings completely. It's estimated that the vast majority of PHP installations have both of these features disabled (either consciously or by default) in their INI files. Thus the deprecation will only apply to setups which have either of these INI settings enabled.

Setups that use default settings, such as the following, will NOT trigger a deprecation warning:

session.use_only_cookies=On
session.use_trans_sid=Off

Installations that have either of these switches in a different position will generate a deprecation warning:

session.use_only_cookies=Off ; Will generate a deprecation warning
session.use_trans_sid=On ; Will generate a deprecation warning

Changing any of the following settings will be deprecated:

  • session.use_only_cookies
  • session.use_trans_sid
  • session.trans_sid_tags
  • session.trans_sid_hosts
  • session.referer_check

Setting any of these options through session_start() to their non-default value will also be deprecated.

The constant SID will also be deprecated as part of this RFC. The standalone proposal to deprecate this constant has also been made in Deprecations for PHP 8.4 RFC.

The goal is to remove these features completely in PHP 9.0. The above-listed INI entries and the constant SID will be removed.

session.use_cookies = Off

I can't confirm whether it was intentional to allow the usage of cookie sessions without sending the cookie, but people have used this trick to adhere to strict PSR-7 standard. As explained by Paul M. Jones in his blog disabling session.use_cookies instructs PHP not to send the session ID in the cookie upon session start. The responsibility of sending the cookie with the session ID falls on the developer who can do it at their most convenient time. For this reason, this INI setting will remain unaffected.

Backward Incompatible Changes

Apart from generating a deprecation notice, no other immediate backward incompatible changes are foreseen. However, once these settings get removed in the next major PHP version, using any of these INI settings will become impossible.

Using automatic transformation of URLs will become impossible out of the box starting with PHP 9.0. To keep using this feature, PHP users will have to implement it in userland. While PHP will not read the session token from GET/POST parameters automatically anymore, it will still be possible to start a session with an ID received in such a way by manually setting it via session_id()

Unaffected Functionality

Function output_add_rewrite_var() will remain unaffected. Only the automatic rewriting of URLs to add PHPSESSID will be deprecated.

The hack which allows for manual control of the session cookie using the INI setting session.use_cookies will remain possible.

Version

Deprecation in the next minor version, PHP 8.4.

Removal in PHP 9.0.

Vote

As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted.

Voting started on 2024-04-09 and will end on 2024-04-23.

Accept Deprecate GET/POST session identifiers
Real name Yes No
alcaeus (alcaeus)  
asgrim (asgrim)  
beberlei (beberlei)  
bwoebi (bwoebi)  
crell (crell)  
dams (dams)  
devnexen (devnexen)  
dharman (dharman)  
ericmann (ericmann)  
gasolwu (gasolwu)  
girgias (girgias)  
heiglandreas (heiglandreas)  
jimw (jimw)  
kelunik (kelunik)  
kguest (kguest)  
kocsismate (kocsismate)  
mbeccati (mbeccati)  
ocramius (ocramius)  
petk (petk)  
ramsey (ramsey)  
reywob (reywob)  
santiagolizardo (santiagolizardo)  
seld (seld)  
sergey (sergey)  
svpernova09 (svpernova09)  
theodorejb (theodorejb)  
timwolla (timwolla)  
trowski (trowski)  
weierophinney (weierophinney)  
Final result: 29 0
This poll has been closed.

Implementation

  1. merged into master (will become PHP-8.4)
  2. documentation update pending
rfc/deprecate-get-post-sessions.txt · Last modified: 2024/08/25 12:18 by cmb